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ABSTRACT 


Although Identity Management (IdM) and biometrics have been engrained in the 
business practices of private and commercial organizations for decades, the United States 
Government (USG) and the Department of Defense (DoD) have only truly started to 
institute a holistic IdM Enterprise within the last decade. More specifically, the DoD has 
really sharpened the focus on leveraging biometrics since the beginning of the War on 
Terror. The operational capability to distinguish Red Forces or Gray Forces from Blue 
Forces is now a common daily occurrence. Regardless of the theater or Area of 
Operations, U.S. forces are utilizing biometrics to identify our enemies. 

In the next phase of implementing a comprehensive IdM Enterprise, the DoD is 
crafting new IdM policies, procedures, and systems that will distinguish between various 
levels of access and security controls among Blue Eorces. Blue Force IdM architectures 
are required by specific USG and DoD policies to enforce standardization in policy and 
application across all federal agencies to improve and synchronize their business 
practices. And with many agencies crafting their own version of the future, a basic 
understanding of current IdM and biometrics requirements, as well as potential biometric 
resources, is necessary to move forward. 
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PREFACE 


Before being unwittingly thrown into the Naval Postgraduate School, I spent 
fourteen years honing my professional military skills as a Naval Helicopter Pilot. I flew 
the slightly aged, but none-the-less potent, SH-60B Seahawk from the flight deck’s of the 
U.S. Navy’s newest and oldest surface combatants. I amassed over 2200 flight hours and 
was individually selected for a prestigious Seahawk Weapons and Tactics Instructor 
billet. It is the helicopter version of Top Gun for those unfamiliar. Life was good. 

Roughly a little over four years ago, the pre-selected path I had been following 
was soon closed off. My career took an unrecoverable blow that forced me into a degree 
program at a graduate school I had not chosen. As circumstances sometimes end up, I 
came to enjoy my degree — Information Technology Management. The degree program 
was tailored for future managers of the DoD Information Technology infrastructure, not 
technicians. Which ended up being good for me, since my previous degrees were non¬ 
technical — an MBA and a Bachelor’s in Political Science. I enjoyed the program so 
much that I applied for and received a redesignation out of the Aviation Community and 
into the Navy’s Information Professional (IP) Community. This was the only way to 
ensure that I would have an opportunity to apply the degree following graduation. 

During the second half of my first year, I got involved in a student run and faculty 
supported organization called Cooperative Operations and Applied Science & 
Technology Studies (COASTS). The organization allows student volunteers to find 
opportunities for relevant thesis subjects to be evaluated in mock operational situations in 
the United States and overseas in Thailand. There are opportunities to get involved in 
actual operational Fleet testing, but the vast majority of tests are done in a more 
controlled fashion. In one of my first COASTS meetings, I was introduced to some 
biometric devices and quickly decided that this could be an area I could spend countless 
hours researching for a thesis and not get bored. 
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The original intent of my thesis had been to take an interesting and potentially 
useful dynamic signature biometric device and test it. I would then take the testing data 
and compare its effectiveness against some of the more popular biometric devices. 
Eventually, I came to realize that my signature biometric device — the Bio-Pen by 
DynaSig — would not necessarily compare evenly against other devices. The vast 
majority of DoD biometrics revolve around devices meant for application in an 
operational environment. Taking the Bio-Pen and making a case that it could be a useful 
‘operational’ biometric was inherently flawed. 

As I further continued my research into biometrics, I came to understand that 
biometrics was really just a subset resource for a larger Federal Identity Management 
(IdM) Enterprise. I also found that there were a lot of redundant instructions and work 
being done independently, especially among the individual DoD services. This, despite 
federal and DoD policies that dictated all players use a team concept to develop and 
integrate biometrics. The lack of cohesion was further verified from other students in a 
Distance Learning IdM certification curriculum. The other students were a varied group 
from across federal and DoD organizations working on IdM and biometric issues every 
day. 

I eventually realized that I needed to do a thesis that summarized the current state 
of federal and DoD IdM. With so many disparate instructions, documents, policies, 
acquisition papers, and memos detailing how IdM needs to be applied, there was no 
single understandable resource to explain the ‘Whys’ behind the ‘Whats’ of the Federal 
and DoD IdM Enterprise. Concurrently, I wanted to discuss a potential resource in the 
growing area of Blue Force IdM and biometrics. Just as a signature device is not suited 
for most operational applications, other biometrics may not be suited for Blue Force 
business practices. I hope my small thesis helps other people like me interested in IdM 
and biometrics, but without any background in either, better understand some of the 
‘Whys.’ 
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I. IDENTITY MANAGEMENT OVERVIEW 


A. INTRODUCTION 

Identity Management : The combination of systems, rules and 
procedures that defines an agreement between an individual and 
organization(s) regarding ownership, utilization and safeguard of 
personal identity information. 

National Science and Technology Council Biometrics Glossary 

In order to have an intelligent understanding about the field of Identity 
Management (IdM) within the U.S. Government (USG) and Department of Defense 
(DoD), it is necessary to have a working knowledge of the overarching documents, 
instructions, and reports that dictate the current operational and business process goals. 
One of the biggest issues in trying to understand the current situation in regards to IdM 
within the USG and DoD, is that there is no general consensus on the way ahead. Even 
though IdM has gained a lot of attention and resources since 9/11, the majority of efforts 
are focused on Known or Suspected Terrorists (KST) and military operations. Little 
federal attention or resources, until recently, have been allocated for Blue (friendly) Force 
IdM and internal business practices. 

This chapter sets the scene in regards to the high level guidance, wherein present 
and future decisions will be made concerning the implementation and acquisition of IdM 
Enterprise and Architecture resources. This chapter will summarize, in as concise a 
format as possible, the most current significant and influential documents shaping the 
growing field of Federal IdM, as well as some of the implications derived as a 
consequence of their enactment. To paraphrase my first Officer in Charge every time I 
asked him how to complete one of his tasks, “What does the instruction say ” 
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B. NON-DOD FEDERAL DOCUMENTS 

1. Homeland Security Presidential Directives 

The events of September 11, 2001 ushered in a profound realization that it was no 
longer acceptable to slowly migrate towards specific national security requirements and 
milestones. The ability and need to identify potential and confirmed terrorists worldwide 
was made a high priority requirement by the President for the newly formed Department 
of Homeland Security (DHS). Through specific Homeland Security Presidential 
Directives (HSPD), the President outlined requirements with direct implications in IdM 
and biometrics throughout the federal government. Some of the most significant HSPDs 
are detailed below. 


a. HSPD 6: Directive on Inte gration and Use of Screening 
Information to Protect against Terrorism 

This early HSPD was released in September 2003 and addressed issues 
dealing with information on individuals known or suspected to engage in terrorist 
activities. HSPD 6 was designed for the Secretaries of Homeland Security and State, the 
Director of Central Intelligence, and the Attorney General. The Directive specifically 
spells out (in a legal like vocabulary) two objectives towards the goal of protecting the 
United Sates against terrorists: 

(1) Develop, integrate, and maintain thorough, accurate, and current 
information about individuals known or appropriately suspected to be or 
have been engaged in conduct constituting, in preparation for, in aid of, or 
related to terrorism (aka Terrorist Information); and, 

(2) Use that information as appropriate and to the full extent permitted by law 
to support; 

(a) Federal, State, local, territorial, tribal, foreign-government, private- 
sector screening processes; and. 
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(b) Diplomatic, military, intelligence, law enforcement, immigration, 
visa, and protective processes (White House, HSPD 6). 

Any information gathered by HSPD 6 is directed to be provided to the 
Terrorist Threat Integration Center (TTIC). Along with the above requirement, the 
responsible parties are required to report to the Attorney General about possible 
opportunities in which screening can and cannot be conducted. 

b. HSPD 12: Policy for a Common Identification Standard for 
Federal Employees and Contractors 

About a year after HSPD 6 was signed in August 2004, the basic 
requirement to identify terrorists and their affiliates was expanded. It grew by mandating 
a USG-wide Identification (ID) Standard to include the protection of federal personnel 
and facilities from intrusion or attack by terrorists. This far reaching requirement for a 
federal standard was applied to all federal employees, contractors, and contractor 
employees. Although HSPD 12 is a mere page long, it is quite simply one of the 
foundational and most influential documents in regards to MM requirements throughout 
the USG and DoD. 

Section 1 of HSPD 12 more clearly sets forth the overarching goals by 

stating. 


Wide variations in the quality and security of forms of identification used 
to gain access to secure federal and other facilities where there is 
potential for terrorist attacks need to be eliminated. Therefore, it is the 
policy of the United States to enhance security, increase Government 
efficiency, reduce identity fraud, and protect personal privacy by 
establishing a mandatory. Government-wide standard for secure and 
reliable forms of identification issued by the federal Government to its 
employees, contractors, and contractor employees (White House 1). 

The Secretary of Commerce was designated as lead and directed to 
coordinate the development of a Federal Identity Standard among the Secretaries of State, 
Defense, and Homeland Security; the Attorney General; as well as the Directors of the 
Office of Management & Budget and the Office of Science and Technology Policy. In 

accordance with the timeframe requirements spelled out in HSPD 12, the Federal ID 
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Standard was to have been promulgated six months after the date of the directive. 
Federal agencies would then have up to four months, but no more than eight months, to 
have a program in place that meets the Standard. In February 2005, the Department of 
Commerce released the Federal Identity Standard through the National Institute of 
Standards and Technology as the Federal Information Processing Standard Publication 
201 . 


2. Federal Information Processing Standards (FIPS) Publication 201-1 

FIPS Publication 201-1 — Personal Identity Verification (PIV) of Federal 
Employees and Contractors is the direct result of the requirement for a single, federal 
identification standard as directed by HSPD 12. FIPS 201-1 was released in March 2006 
to revise and update FIPS 201 that was originally released by the Department of 
Commerce on February 25, 2005. The first and only Change Notice to FIPS was released 
on June 23, 2006 to account for changes in graphics standards on the physical PIV card 
and changes to a specific type of encoding. 

The intended goal of FIPS 201-1 in specifying an Identity Standard for federal 
agencies was 

...to achieve appropriate security assurance for the multiple applications 
by efficiently verifying the claimed identity of individuals seeking physical 
access to federally controlled government facilities and electronic access 
to government information systems (Technology Hi). 

In an effort to achieve that goal incrementally, FIPS 201-1 is divided into two 
sections. Personal Identity Verification Part I (PIV-I) and Personal Identity Verification 
Part I (PIV-II). PIV-I requirements for a common identification form (smart card) were 
to be met by October 27, 2005, while implementation guidance for architectural systems 
guidance in PIV-II would be issued at a later date by the Office of Management and 
Budget (0MB). PIV-I is all of three and half to four pages of the ninety-plus page total 
document. Its objectives are based on HSPD 12 prerequisites that states the physical 
identification card produced in accordance with the Identity Standard must meet four 
security and reliability requirements: 
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(1) Issued based on sound criteria for verifying an individual employee’s 
identity, 

(2) Strongly resistant to identity fraud, tampering, counterfeiting and terrorist 
exploitation, 

(3) Can be rapidly authenticated electronically, and, 

(4) Issued only by providers whose reliability has been established by an 
official accreditation process (Technology iv). 

In most cases, a large portion of the federal government already had established 
forms of PIV cards that enabled a short timeframe to be mandated. Despite these 
‘mandatory’ requirements, FIPS 201-1 gave federal agencies an exception clause to the 
fourth requirement by later stating agencies could either ‘self-accredit’ or ‘use other 
accredited issuers’ until PIV Section II had been made officially (Technology v). PIV-I 
continues on to describe the Identification Standard’s primary objectives in regards to 
control, identity spoofing and registration, issuance and maintenance, as well as privacy 
requirements. Throughout the document, it is reiterated that individual agencies are not 
being forced into using a single credential type. They are allowed to determine the 
specific card or cards they wish to use and the level of access authority asserted by the 
card. Whatever the specific credential form chosen by an agency, however, it must meet 
all of the criteria spelled out in PIV-I. 

PIV-II delves deeper into the technical specifications for a holistic PIV system. It 
further elaborates on the component specifications and processes that ensure 
interoperability of PIV cards among federal agencies in regards to access control, 
authentication, and systems management. A pictorial overview of a generic PIV system 
is shown below in Figure 1 PIV II is logically divided among three functional 
components: 
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(1) PIV Front-End Subsys tern: Included is the physical PIV card, card and 
biometric readers, personal identification number (PIN) input device; 

(2) PIV Card Issuance and Management Subsystem : Includes components 
for identity spoofing and registration, card and key issuanee and 
management, and the various repositories and services required as part of 
the verification infrastructure (e.g., PKI directory, certificate status 
servers...); and, 

(3) Access Control Subsystem : Ineludes the physical and logical access 
control systems, protected resources, and the authorization data 
(Technology 10). 



Figure 1. Notional PIV System Model 


When the three subsystems of the overall Personal Identity Verification — II 

architecture are eompleted by the individual federal departments or agencies, it will 

ensure secure, homogenous, and adaptable identity management. By conforming to the 

technical standards of Card Issuance and Management, every federal agency is assured 

that the individual and the smart card presented for physieal or logical access to their 

resources have been vetted, registered, and approved for appropriate eertificate and key 
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usage. This should be further verified when the individual and their PIV card interact 
seamlessly with the every agencies’ card reader, biometric scanner, or PIN device built to 
Front-End specifications. And lastly, if the individual mistakenly or surreptitiously 
attempts to access data or facilities above their authority, logical and physical Access 
Control subsystems will prevent their efforts and alert the proper authorities as required. 
A continuous feedback loop within the PIV architecture maintains secure IdM as long as 
all PIV systems are scrupulously built to the specifications. 

Throughout the document, it is consistently reiterated that the need for uniformity 
and standardization across all federal agencies and departments drives the PIV effort. By 
standardizing specific physical and logical components among all federal agencies, the 
enormous benefits derived from economies of scale can be achieved. Agencies are not 
required to purchase the same hardware or software, but all their hardware and software 
must be able to interact based on the same language spelled out in FIPS 201-1. When the 
underlying subsystems of a PIV architecture are able to exchange data through adherence 
to dedicated standards, federal agencies will no longer waste resources producing 
multiple identification cards, will decrease the chances for identity fraud with 
repetitiously stored Personally Identifiable Information (PII), and will increase the level 
of trust in IdM among agencies. 

3. National Science and Technology Council (NSTC) Identity 
Management Task Force 

In the field of IdM and biometrics, the National Science and Technology Council 
is a very influential organization inside and outside the Executive Office of the President. 
The Council and its various Committees and Subcommittees are continuously designing 
the federal IdM and biometrics landscape through coordination, research, and policy 
recommendations to the President. The website for the National Science and Technology 
Council (NSTC) has a concise and informative description of the Council and its purpose. 
It states, 

The National Science and Technology Council (NSTC) was established by 

Executive Order (12881) on November 23, 1993 (House). This Cabinet- 

level Council is the principal means within the executive branch to 
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coordinate science and technology policy across the diverse entities that 
make up the federal research and development enterprise. Chaired by the 


President, the membership of the NSTC is made up of the Vice President, 
the Director of the Office of Science and Technology Policy, Cabinet 
Secretaries and, and other White House officials. 

A primary objective of the NSTC is the establishment of clear national 
goals for federal science and technology investments in a broad array of 
areas spanning virtually all the mission areas of the executive branch. 

The Council prepares research and development strategies that are 
coordinated across federal agencies to form investment packages aimed at 
accomplishing multiple national goals. The work of the NSTC is 
organized under four primary committees: Science, Technology, 
Environment and Natural Resources and Homeland and National 
Security. Each of these committees oversees subcommittees and working 
groups focused on different aspects of science and technology and 
working to coordinate across the federal government (President). 

Appendix A offers a succinct visual representation of the four committees of the 
Council, as well as their individual subcommittees. From the brief description of the 
NSTC, it is slightly misleading as to the membership of the Council. If a formal list of 
the “Cabinet Secretaries and Agency Heads with significant science and technology 
responsibilities” were to be listed, the list would cover over two dozen of the U.S. 
Government’s most powerful departments and agencies. The President also has the 
eternal right to add from time to time “such officials of executive departments or agencies 
as the President may (House) ” In short, this one Executive Order created a Council with 
an exceptionally large collection of powerful federal officials. 

For the purposes of this thesis, the Subcommittee on Biometrics and Identity 
Management within the NSTC’s Committee on Technology deals specifically with the 
subject material. A pictorial of the Subcommittee on Biometrics and Identity 
Management’s structure is provided below in Figure 2 (Blackburn). The Subcommittee 
on Biometrics and Identity Management was permanently tasked by the NSTC’s 
Committee on Technology since inception in 2002 to: 
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a. In Regards to Biometrics 

1. Provide technical leadership in the development and 
implementation of interoperable federal biometrics 
systems; 

2. Develop and implement multi-agency investment strategies 
that advance biometric sciences to meet public and private 
needs; 

3. Develop and adopt biometric standards as specified in the 
NSTC Policy for Enabling the Development, Adoption, and 

Use of Biometrics Standards : and, 

4. Develop consensus strategic outreach plans for biometrics, 
including collaboration on www.biometrics.gov , the annual 
Biometric Consortium Conference and other events. 

b. In Regards to Identity Manage ment (of whic h Biometr ics is a 

Subset) 

1. Identify cross-sector IdM issues, and develop and 
implement plans to address the federal government’s 
priority S&T need; 

2. Facilitate the inclusion of privacy-protecting principles in 
IdM system design; 

3. In January 2008, the Promote a scientifically educated and 
aware public that properly understands IdM technologies, 
federal programs and issues; and, 

4. Strengthen international and public sector partnerships to 
foster the advancement of IdM technologies (Council, 
Subcommittee Overview). 
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NSTC Subcommittee on Biometrics & idM 



Figure 2. Subcommittee on Biometrics & IdM Structure 

Subcommittee for Biometrics and Identity Management was further 
directed by the NSTC to form a Task Force (TF) on Identity Management. The Task 
Force lasted for six months and was charged with three primary objectives: 

(1) Provide an assessment of the current state of IdM in the U.S. 

Government; 

(2) Develop a vision for how IdM should operate in the future; and, 

(3) Develop first-step recommendation on how to advance toward their 
vision (Council, Identity Management Task Force Report 2008, ES-2). 

The Task Force approached the assignment from two different angles 
realizing they had a limited amount of time to summarize an extremely large subject. A 
portion of the TF’s resources were used to assess publicly available Privacy Impact 
Assessments (PIA) which spell out the privacy impact of any substantially revised or new 
Information Technology System (Security). PIAs were first mandated by the E- 
Government Act of 2002 in recognition that advances in Information Technology also 
had important ramifications on the protection of personal information contained in 
government records and systems (Security). 

The second approach was to coordinate with the Office of Management 
and Budget to conduct a survey of the Federal Chief Information Officer’s Council. The 
scope of the survey and TF’s overall report tried to address uses of Federal IdM in every 
possible way internal and external to the federal government, to include between the 
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federal government and international organizations or commercial entities. Wherever a 
Federal IdM system could possibly be used or accessed, the TF attempted to evaluate. 
The TF on Identity Management also used the following definition of Identity 
Management as part of its methodology to benchmark the concept for those surveyed. 

The combination of technical systems, rules, and procedures that define 
the ownership, utilization, and safeguard of personal identity information. 

The primary goal of the Identity Management process is to assign 
attributes to a digital identity and to connect that identity to an individual 
(Council, Identity Management Task Force Report 2008, ES-I). 


Some of the big picture findings from the combined efforts were that there 
are more than 3000 IdM-related systems within just the federal government that utilize 
some form of Personally Identifiable Information (Pll)k Remember, this does not 
include any non-federal systems that may interact with USG systems. Not surprisingly, 
the preponderance of these systems were designed, utilized, and managed in their own 
independent ‘stovepipes.’ Another finding from the TF’s efforts was the lack of an 
agreed upon definition for “Identity Management.” It’s not difficult to see how disparate 
IdM systems are so incompatible when there is no aggreement on a common definition of 
IdM. Among the more than 3 000 systems, roughly only fifteen percent collect or use 
biometrics, security questions, or tokens (Dray). PINs, login aliases, passwords, date of 
birth, and Social Security numbers are the most common forms of IdM information 
collected (Dray). 


are 


The major consequences noted from this lack of a Federal IdM Enterprise 


(1) Duplicative identity data is often stored in multiple locations 
within the same agency, as well as across agencies, causing a 
negative impact on accuracy and complicating an individual’s 
attempt at redress; 


1 Personally Identifiable Information (PII) is defined by the NTSC as “[t]he information pertaining to 
any person which makes it possible to identify such individual (including the information capable of 
identifying a person when combined with other information even if the information does not clearly 
identify the person)”. This may be interpreted as “any information which identifies a person to any degree”. 
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(2) A lack of commonly used standards makes appropriate cross¬ 
function collaboration difficult, thus impacting both time-sensitive 
mission needs as well as redueing personal privacy; 

(3) Privacy protection efforts vary in eomplexity aeross agencies; and, 

(4) There is no single government-wide forum responsible for 
coordinating and homogenizing IdM efforts across the U.S. 
government (Couneil, Identity Management Task Foree Report 
2008, ES-3). 

The Task Force on Identity Management concurrently identified four 
major opportunities that could systematically demonstrate a return on investment. The 
first was the ability to eapitalize on existing investments in digital infrastrueture. 
Through the previously diseussed FIPS 201, the federal government has established 
technical standards to create basic identifications for employees. Even though there is 
currently not a robust Federal IdM infrastructure to support the full utilization of these 
ID’s, the common FIPS 201 standard enables the prospect for design and implementation 
of FIPS eapable systems throughout the USG (Couneil, Identity Management Task Force 
Report 2008, 14). 

The second opportunity the TF identified for a Federal IdM Enterprise was 
the ability to achieve multiple efficiencies in design and use (Council, Identity 
Management Task Foree Report 2008, 15). Because there is an enormous amount of 
repetitive data residing on literally thousands of disparate systems, a federated IdM 
architecture would alleviate this redundant waste. Surplus and cumulatively expensive 
resources storing and managing the same data would be eliminated. Centralized data 
would be more easily updated and available to all systems under proper aecess controls. 
And most importantly, the ehanees for eompromised data would be dramatically 
decreased because there would be limited access to a single secured repository of data, 
and there would be auditing mechanisms enabling the ability to more quickly determine 
breaehes or violations of integrity. 
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Third, the data management standards and policies of separate 
architectures would be harmonized through standardization (Council, Identity 
Management Task Force Report 2008, 15). The resources and policies of every Federal 
IdM system would be built upon the same foundation of hardware, software, and policy 
standards. This would allow each agency or organization the flexibility to acquire the 
systems that work best for them, AND be interoperable with the systems of every other 
agency. And lastly, the standardization of IdM systems would allow for a true single 
sign-on access across multiple systems (Council, Identity Management Task Force 
Report 2008, 15). There would no longer be a need to continuously remember or write¬ 
down PIN’s or passwords for each and every system. This in turn would reduce potential 
security risks. If every system operated under the same standards and guidelines, every 
system would accept any vetted individual’s access authority by near or instantaneous 
verification of credentials. 


The data and findings gathered by the Subcommittee on Biometrics and 
Identity Management’s Task Force on Identity Management will be used to craft the 
vision for a federated approach to a Federal IdM Enterprise. To this end, the Task 
Forces’ seven top-level goals follow: 

(1) Configuration and operation of a “network of networks’’ to securely 
manage digital identities, based on a set of common data elements for stored PII that will 
allow it to be leveraged by a broad range of applications; 

(2) Security of process, data transmission, and storage; this includes and 
embraces all features of confidentiality, integrity, authenticity, and privacy, including use 
of encryption and multifactor authentication; 

(3) Auditability of processes, with complete, automatic, and secure record 

keeping; 


(4) Ubiquitous availability, at global distances, of strong verification of 
stored digital identity when called for or needed to support an authorized application; 


(5) Standards-based connectivity, interoperability, and extensibility of 
supporting IT architecture; 
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(6) Preservation of application-specific PII data under control of 
application sponsors, with minimal exposure to unauthorized access or unnecessary 
transmission across networks; and, 

(7) Ability of prospective application sponsors to develop, install, and 
operate applications in a way that permits the supporting IT grid to be seen as a freely 
available, ubiquitous service (Council, Identity Management Task Force Report 2008, 
ES-5). 


C. DEPARTMENT OE DEFENSE DOCUMENTS 

1. Overview 

IdM as a business and operational construct is relatively new to the Department of 
Defense. The applications and hardware for biometrics have been more heavily 
developed as a result of the War on Terror, but it has only been understood in the last few 
years that biometrics is actually just a subset of a larger IdM vision. As a result, the DoD 
does not have any formal IdM Enterprise instructions to date. They are either currently in 
development or have appeared as conceptual statements in other documents. Through 
research, there are references to documents like the DoD Roadmap to Identity 
Superiority and the DoD Identity Protection and Management Visio n in some GAO 
reports and other DoD high-level documents.^ For whatever the reasons, these 
documents do not appear on any DoD or reference websites. It is possible they never 
made it to a final approved draft or the vision is still uncertain. The fact that the DoD 
does not have concrete guidance for an IdM Enterprise or Architecture speaks volumes to 
the DoD’s current lack of IdM focus. The following documents are the closest to 
approved and accessible guidance for specific aspects of DoD IdM. 


^ As an example, a September 2008 GAO Report titled DEFENSE MANAGEMENT: DOD Needs to 
Establish Clear Goals and Objectives, Guidance, and a Designated Budget to Manage Its Biometrics 
Activities states”,...in September 2006, tbe (DOD CIO’s) Identity Protection and Management Senior 
Coordinating Group produced a draft Roadmap to Identity Superiority. This document provides a more 
specific strategic vision of biometrics and some associated programs, including specific goals and expected 
timelines. However, DOD officials told us that the document has not been finalized. 
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2. Deputy Secretary of Defense Directive-Type Memorandum (DTM) 
08-006: “DoD Implementation of Homeland Security Presidential 
Directive —12 (HSPD-12)” 

The three page memo (six pages total with an attachment on responsibilities) 
released 26 November 2008 stated that it immediately establishes a DoD policy for the 
implementation of Personal Identity Verification Section I. As previously discussed, PIV 
I details the implementation of a smart card for all DoD employees, contractors, and 
employees of contractors who request or have a need to access DoD facilities and 
resources. The memo, however, does not mention anywhere about policy pertaining to 
PIV Section II, or the larger Personal Identity Verification Architecture. The memo also 
states that it should be replaced by a formal DoD Instruction within 180 days (Defense). 

In order to meet the requirements of Homeland Security Presidential Directive - 
12, the DoD’ Common Access Card (CAC) will be the official identity credential and be 
accepted by all DoD Components. The CAC can be used for logical or physical access to 
DoD facilities and resources. Although the CAC is to be the accepted DoD identity 
credential, it will be at the discretion of individual federal facilities and information 
systems managers to grant or deny access. Furthermore, upgrades to the current Real¬ 
time Personnel Identification Systems (RAPIDS) will be made to ensure that the CAC 
and CAC issuance process fully complies with HSPD-12. This progression is expected to 
occur over the next four years as current CAC’s expire and RAPIDS receives the 
necessary upgrades (Defense). 

3. Department of Defense Directive (DoDD) 1000.25 

DoDD 1000.25 — DoD Personnel Identity Protection (PIP) Program was 
originally promulgated in July 2004, but was updated in April 2007. This directive 
cancels and replaces three previous DoD Directives and Instructions relating to military 
and civilian IDs, as well as the Defense Enrollment and Eligibility Reporting System 
(DEERS). Its purpose as stated. 

The PIP shall be the Department of Defense’s program for: addressing 

threats to the individual personal privacy of its Members, employees, and 

beneficiaries; establishing a secure and authoritative process for the 
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issuance and use of identity credentials on the Department of Defense; 
and ensuring that DoD benefits and access to DoD physical and logical 
assets are granted on authenticated and secure identity information. (USD 

(P&R)) 

Although not specifically an MM instruction, DoDD 1000.25 works hand-in-hand 
anywhere HSPD-12 and the DoD’s Common Access Card are applicable. As such, it 
appears and reappears in a multitude of DoD and Service instructions, directives, and 
policy statements of varying importance. The PIP program influences all of the 
following systems that operate within the sphere of identity implementation and 
operations: DEERS, RAPIDS, Defense Biometric Identification System (DBIDS), 
Defense Cross-Credentialing Identification System (DCCIS), Defense National Visitors 
Center (DNVC), and the Defense Non-Combatant Evacuation (NEO) Operations 
Tracking Systems (DNTS) (USD (P&R)). 

Oversight of the PIP Program is delegated to the Identity Protection and 
Management Senior Coordinating Group (IPMSCG) under the Assistant Secretary of 
Defense (Network and Information Integration) (ASD/NII) and DoD Chief Information 
Officer (CIO) (USD (P&R)). The IPMSCG must ensure that the PIP Program is ready to 
add additional capabilities and systems as technologies emerge in the future. In essence, 
the PIP Program is a scaled-version of an IdM Architecture that seeks to implement and 
leverage standardization of identity credentialing and processing across the varying DoD 
identity systems. 
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II. BIOMETRICS OVERVIEW 


A. INTRODUCTION 

Biometrics : As a characteristic: A measurable biological 
(anatomical and physiological) and behavioral characteristic that can be 
used for automated recognition. 

As a process: Automated methods of recognizing a biometric subject 
based on measurable biological (anatomical and physiological) and 
behavioral characteristics. 

National Science and Technology Council Biometrics Glossary 

As with the field of Identity Management, biometrics in the USG and DoD is in a 
state of controlled chaos. Biometrics, however, is far more advanced in operational 
applieation, business use, and poliey formation. Referencing Appendix B will give an 
appreeiation for the language that has already evolved around the subject. There are a lot 
of initiatives and programs with only limited coordination between them, whether it is a 
Special Operations Unit taking multi-modal biometrics into the mountains of Afghanistan 
or a diligent TSA employee verifying the biometries of a foreign traveler eoming into the 
United States. Resources are being wasted through duplication of efforts, a lack of 
interconnectedness among databases, and an inability of most IdM or biometrics systems 
to simply exchange or verify data with another system even if connected. 

For a long time, biometries was seen as a separate resouree in identifying Red or 
Gray forees, and occasionally Blue forees. As resourees for and the actual application of 
biometrics expanded after 9/11, biometrics was better understood to be a component of 
the wider field of Identity Management. Initial versions of federal IdM architectures or 
enterprises began to take shape, and biometrics became the tool by whieh better 
information and intelligenee eould be gathered and shared. This ehapter summarizes and 
quotes from the latest iterations of both federal and DoD documents that describe how 
biometrics is expected to be applied currently and in the future. Most documents are 
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relatively new by DoD standards, and account for the information on biometrics already 
acquired and the acceptance that biometrics is no longer a separate field. In regards to 
how biometrics is specifically employed on a daily basis, this topic will be more 
thoroughly handled in the next chapter. 

B. NON-DOD FEDERAL INSTRUCTIONS 

As a tool in the implementation of a Federal IdM Enterprise, the use and 
application of biometrics has truly gained momentum. Despite the fact that commercial 
businesses and organizations have been using biometrics for decades, the USG and DoD 
have only become serious about the implementation of biometrics since the Global War 
on Terror began at the end of 2001. Even then, the vast majority of applications that took 
advantage of the benefits of biometrics were operational systems used to distinguish Red 
and Gray forces from Blue Forces, but not among varying grades of Blue Forces. 

Over the last few years, however, a drive and accompanying resources have been 
applied towards evaluating biometrics systems for business and operational systems that 
distinguish Blue Forces from other Blue Forces. From a general business perspective, the 
greatest security threat is still the Insider Threat. There is a specific and quantifiable need 
to distinguish people by access to facilities, privileges to applications, or basic security 
levels. In the federal government and DoD, one only has to do a quick search on Google 
or any news source to find plentiful examples of Personally Identifiable Information (PII) 
that was randomly lost or stolen by federal and DoD employees. Laptops with little or no 
security features installed and enabled continue to disappear or remain unaccounted for 
that potentially disclose the private medical, social security, and personal information of 
hundreds of thousands of active duty military, retirees, and civil servants. This problem 
grows exponentially when you realize that only recently have security standards been 
enacted that each federal agency or organization is held accountable to meeting. Dig 
deeper and these issues multiply again after the realization that divisions and departments 
within individual agencies do not always use a single standard, and often do not even 
effectively attempt to coordinate their efforts. 
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1. HSPD 24 and National Security Presidential Directive 56: Biometrics 
for Identification and Screening to Enhance National Security 

HSPD 24 is a very recent directive in the larger vision for biometrics with a 
publication date of June 5, 2008 (White House, Homeland Security Presidential Directive 
24). The Directive instructed the Attorney General to have a plan of action within 90 
days that has been coordinated with the Secretaries of State, Defense, and Homeland 
Security, the Director of National Intelligence, and the Director of the Office of Science 
and Technology Policy. Following the submittal of the plan, all of the responsible parties 
would have a year to submit a report outlining their implementation of the directive, an 
action plan, and any additional actions required for implementation. 

Although HSPD 24 does not specifically address the use of biometrics for Blue 
Force identification and screening, HSPD 24 does seek to unify the efforts of federal 
agencies in regards to the collection, use, and sharing of terrorist biometric data. 
Specifically, HSPD 24 states, 

Many agencies already collect biographical and biometric information in 
their identification and screening processes. With improvements in 
biometric technologies, and in light of its demonstrated value as a tool to 
protect national security, it is important to ensure agencies use compatible 
methods and procedures in the collection, storage, use, analysis, and 
sharing of biometric information (White House, Homeland Security 
Presidential Directive 24). 

Furthermore, HSPD 24 gives more explicit direct direction on how to achieve the 

goal. 


Through integrated processes and interoperable systems, agencies shall, 
to the fullest extent permitted by law, make available to other agencies all 
biometric and associated biographical and contextual information 
associated with persons for whom there is an articulable and reasonable 
basis for suspicion that they pose a threat to national security (White 
House, Homeland Security Presidential Directive 24). 

Interestingly, the definition chosen for use only covers the characteristic portion 
of biometrics. It does not mention the second half of biometrics as a process like written 
in the NSTC version in Appendix B. Asa process, “biometrics” is defined as automated 
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methods of recognizing a biometric subject based on measurable biological (anatomical 
and physiological) and behavioral characteristics. With the stated intention of this 
directive to force federal agencies to work together, it would have been prudent to also 
emphasize the process half of biometrics to the intended audience. 

2. The National Biometrics Challenge 

In August 2006, the National Science and Technology Council’s Subcommittee 
on Biometrics (now called the Subcommittee on Biometrics and Identity Management) 
published a report titled “The National Biometrics Challenge.’’ The intent of this report 
was to lay out a common agenda of challenges and opportunities for the ‘biometrics 
community’ — government, industry, and academia. In developing this report and its 
attending multiple lists, the NSTC Subcommittee on Biometrics analyzed the 
distinctiveness of biometrics as an identification tool, market and social forces 
influencing biometric applications, and requirements for future capabilities (Biomtrics 1). 
Although the use of biometrics is becoming more commonplace, applications are usually 
stovepiped and disconnected. Current security and business requirements are dictating 
highly interconnected biometric systems to rapidly ID personnel across any operational 
environment. 

As a capability in the larger architecture of IdM, biometrics has some distinct 
advantages over other identity processes. Biometrics is currently the best available real¬ 
time capability for identifying personnel. Secondly, the direct attachment of biometrics 
to an individual allows it to be integrated and layered with other security or verification 
resources. Third, biometrics that are scalable and interoperable facilitate the 
identification of repetitive biometric data across the enterprise. Lastly, biometrics are 
difficult, though not impossible, to copy or compromise because they are tied to a 
specific individual’s characteristics — physiological and behavioral. Overall, the 
calculable benefits of bioimetrics when applied in a holistic enterprise architecture are 
valuable resources saved by eliminating redundant data, increased effectiveness through 
shared data, and improved security by layering and overlapping applications (Biometrics 
4). 
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Following all their research, the Subcommittee on Biometrics narrowed the 
influences driving the evolution of biometrics into the following four primary forces: 

1. National Security. 

2. Homeland security and law enforcement. 

3. Enterprise and e-govemment services. 

4. Personal information and business transactions. 

There were also a collection of specific needs identified across each of the four primary 
forces. One of those was the need to accurately ID individuals in real-time in order to 
distiguish threats from unknowns or friendly forces. In order to do this, the 
Subcommittee identified the need for accurate, rugged, multi-modal biometrics that rely 
on standards that imporve interoperability across agencies. Another need was enterprise 
and e-government services which streamline and secure recognition to create ‘federated 
identities’ across organizational boundaries and ensure privacy standards. A third 
requirement was personal and business transaction solutions that decrease identity theft in 
cost-effictive and user intuitive ways. 

Four prominent challenges were then identified as the most significant in regards 
to the primary forces: 

1. Improve collection devices (biometrics sensors). 

2. Develop more efficient and effective large-scale operational capabilities 
(biometrics systems). 

3. Establish standards for plug-and-play performance (biometrics systems 
interoperability). 

4. Enable informed debate on why, how, and when biometrics should and 
can be used (biometrics communications and privacy) (Biomtrics 2). 

These four challenges cut across all four of the previously mentioned primary forces to 
one degree or another. 


21 



If the required needs already discussed could be filled, there would be substantial 
benefits to be gained across both the public and private sectors. When the biometric 
sensors are designed and produced to specifications, real-time biometric data could be 
transmitted in almost any environment to support law enforcement, military, or homeland 
security positive identifications of KSTs or foreign visitors. Systems could lose or 
change out sensors without any degradations. Biometric architectures in a standards 
driven environment would no longer be hamstrung to specific vendors. Confidence by 
both owners and customers would increase even as biometrics systems scale up to 
enterprise levels. Biometric data would be consistent across the enterprise without 
wasteful duplication as biometric systems reach real interoperability. Lastly, informed 
debate about the application of biometrics and the societal implications would demystify 
the technology and improve overall cooperation (Biomtrics 13-16). 

C. DEPARTMENT OF DEFENSE INSTRUCTIONS 

1. Department of Defense Directive (DoDD) 8521.01E: Department of 
Defense Biometrics 

DODD 8521.OlE was released in February 2008 by then Deputy Secretary of 
Defense Gordon England. Like most DoD directives, it stated in clear terms who had 
been designated to which position and what their specific responsibilities were to be. The 
major significance of this document is that it consolidated numerous previous biometrics 
and related instructions, as well as making slight adjustments to the DoD biometrics 
chain of command. Under this instruction, the DoD Biometrics Principal Staff Assistant 
is the Director, Defense Research & Engineering under the Under Secretary of Defense 
for Acquisition, Technology and Logistics. Whereas the Secretary of the Army had 
previously been designated the DoD Executive Agent (EA) for just integration of 
biometrics technologies, the Secretary was now designated EA for all DoD biometrics 
(Defense, Department of Defense Biometrics). 

In order to establish a common language for discussing biometrics, this DoD 

instruction notes that it is using the NSTC Subcommittee on Biometrics Glossary 

(Appendix B of this thesis). This will help ensure that both military and civilians alike 
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can understand one another when talking and writing about biometrics. The Policy 
section of the Directive reiterates a lot of previously mentioned requirements such as the 
requirement to improve efficieney and effeetiveness, eliminate redundant efforts, 
eoordinate through the EA to leverage eurrent aequisitions, develop systems for 
interoperability, develop continuity of operations for contingencies, and that all 
biometrics data shall be maintained and controlled by the DoD. Under the 
Responsibilities section, the requirement to ensure that DoD meets all the requirements of 
HSPD 12 fall to the Under Seeretary of Defense for Personnel and Readiness. The Under 
Secretary also has the major task for ensuring all policies and procedures for IdM and ID 
protection meet current DoD biometric capabilities and standards. A significant 
responsibility when noted that the area of DoD Blue Foree biometrics is where significant 
resources and thought are shifting towards. More specifie details about how the 
Secretary of the Army as EA for Biometrics is concretely applying his responsibilities in 
operational biometrics is found next in Chapter III on the Biometrics Task Force. 

2. Report of the Defense Science Board Task Force on Defense 
Biometrics 

In April 2006, the Under Seeretary of Defense (USD) for Aequisition, 
Technology, and Logistics (AT&L) requested the formation of a Task Foree on Defense 
Biometrics from the Defense Seience Board (DSB). The USD (AT&L) stated that the 
Department of Defense was working in an ad hoc and reactive fashion to the ever 
increasing demands for biometrics and IdM technologies. The DoD was still operating 
under a pre-9/11 mindset defined by pre-9/11 guidanee (TF on Biometries 93). The 
offieial USD (AT&L) memorandum required interim results by May 2006 and a final 
report by November 2006. Research was completed in September 2006 by the DSB Task 
Force on Biometrics, and the final report presented to the USD (AT&L) in March 2007. 

One of the first points made in the Report’s Exeeutive Summary was the TF’s 
summary conclusion that the real topic was the DoD’s IdM posture, not just current 
biometrics capabilities. Biometrics is an important technology in the larger DoD IdM 
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Enterprise, but still just one piece of the overall MM puzzle. The theme driven home is 
that biometrics is but one means towards a holistic MM Enterprise. The TE of Defense 
Biometrics then identified six top level interim findings summarized below: 

1. The importance of identity management and the role of biometrics in the 
Department of Defense are underappreciated. 

2. The present management structure largely reflects pre-9/11 requirements: 
a “blue” focus inside DoD, and conceived in the context of information 
assurance. 

3. Urgent battlefield needs are not being met. The current “program” 
appears to lack the necessary warfighter customer orientation. 

4. Requirements will continue to grow as current business processes scale 
up, as new applications come on line, as the adversaries adapt and as new 
threats emerge. 

5. Technology is changing for the better. New technologies must be inserted 
rapidly. 

6. There appears to be considerable benefit in a Department-wide authority 
for identity management and biometrics, accountable and responsible for 
its funding, policy, vision and direction, and sustainment (TF on 
Biometrics 3). 

The DSB TF on Defense Biometrics Report elaborated on DoD issues with 
biometrics in both technological and organizational contexts. In both contexts, the 
Report intentionally and continuously related the issues and material back to how they 
should support broader DoD MM processes. When the Report elaborated on the general 
role of biometrics, it stated that biometric processes themselves “offer the high assurance 
of uniqueness in initial registration, and added confidence to ID assertion” (TF on 
Biometrics 15). The TF also concluded that any ID related processes cannot be accurate 
without biometrics, because it is necessary to positively link an individual asserting an 
identity to a historical digital biometric instance of the individual. Another point made in 
the TF Report was that the initial introduction of biometrics to the public after 9/11 
created a sense of mistrust and misunderstanding because the government failed to 
clearly and adequately explain what was being done and why. More recently, the public 
has cautiously accepted biometrics as they have become more educated about the 
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technology and more accustomed through exposure. Lastly, the perfromance 
measurements of biometrics have moved beyond the inflated rhetoric of original gradiose 
expectations to realistic probabilities of potential applications (TF on Biometrics 15). 

A three category system for identifying personnel or resources, that is referred to 
as the Identification Trinity, is described by the Report. The three categories that make 
up the ID Trinity are: (1) something you have, (2) something you know, and (3) 
something you are. The strength of the authentication increases when ID processes use 
two or all of the categories in combination to make a positive ID. The most common 
form of ID has, and continues to be, something an individual has. Examples like a birth 
certificate or drivers license are the mainstay of attempting to prove one’s identity. These 
physical objects are commonly referred to as tokens in the IdM lexicon^. Something you 
know is also a very commonly used identifier. Examples of these include passwords, 
PINs, or answers to pass phrases. Authenticators from this category are easy to produce, 
but also easily compormised through social engineering or simple laziness. The third 
category of something you are comprises the physical and behavioral features that most 
uniquely identify one individual from another. These features do not need to be 
memorized, are harder to duplicate, and harder to deny during an authentication process. 
Biometrics is this third category. 

When the TE on Defense Biometrics completed their research, they generated 
forty-six recommendations broken down into six categories: Information Management 
and Information Sharing Issues; R&D, Materiel and Technology Issues; Issues Beyond 
the Department of Defense; Issues Within the Department of Defense; DoD 
Organizational Issues; and. Legal and Privacy Issues. The most relevant 
recommendations dealing directly with biometrics and the application of biometrics are: 


3 As previously mentioned, HSPD -12 outlines the requirements for a strong common identity 
credential (or token). The DoD Common Access Card currently used meets HSPD-12 requirements for a 
FIPS-201 compliant token. 
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a. Information Management and Information Sharing Issues 

Recommendation 19: The OSD PSA for Biometrics, with the ASD/NII, 
should ensure that scalability issues are addressed specifically in anticipation of scaling 
key identity management systems and processes globally. 

Recommendation 42: That the PSA for Biometrics cause the issue of using 
the biometric, itself, for remote authentication across a broad multi-use network to be re¬ 
examined. Participants in the re-evaluation would include, inter alia, the CIOs, the ASD 
(Nil), and the DIRNSA (TF on Biometrics 86). 

b. R&D, Materiel and Technology Issues 

Recommendation 3: The PSA for Biometrics should undertake to develop 
field-deployable DNA collection and matching equipment that requires less skill to 
achieve operationally worthy results, and the data architecture for accessing repositories 
for match should be designed and deployed apace. Additionally, the PSA, in coordinate 
with appropriate authorities, should investigate options related to organizational, physical 
and/or data collocation with other/larger elements of the total DoD biometric s/IM 
enterprise. 

Recommendation 6: Conduct research focused on defining, verifying, 
quantifying and improving biometrics collection/matching performance in multi-modal 
systems. Evaluate alternative methods for comparing and weighting results of matching 
algorithms of different biometric modalities within a single system; seek to establish 
optimal mixes/combinations of modalities in various applications and scenarios. 
Examine issues specifically related to multi-modal data storage and system architecture. 

Recommendation 8: Support research efforts by DARPA and others into 
extended-range human biometric identifiability and tracking. Explore feasibility of 
“unattended surveillance” of larger areas. Examine applicability of biometrically-based 
capability for long-range identity assertion in operational scenarios. 
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Recommendation 10: Quantify, operationalize, and improve upon 3D as a 
basic biometric modality. Explore development of coherent, bi-static 3D imagery 
collection capability, with cameras separated over some distance. Conduct an ongoing, 
basic-research effort in biometrics, seeking to discover new modalities, and previously- 
unknown insights from existing collection and operational biometrics. Seek to identify 
and operationalize promising new areas of biometrics application, appropriately. 

Recommendation 14: Support multi-agency research to identify and refine 
possible new biometric modalities related to residual/latent information (TF on 
Biometrics 87-88). 


c. Issues beyond the Department of Defense 

Recommendation 24: The OSD PSA for Biometrics should establish the 
policy and technology basis for associating biometrics with the broader field of Identity 
Management in the whole range of DoD applications and requirements, and support 
interagency efforts to do the same. 

d. Issues within the Department of Defense 

Recommendation 36: The OSD PSA should work with USD/P&R to 
establish an “Identity Management Community” within the DoD, to establish, support 
and manage a career-long continuum of training, education and professional development 
in this field. 

Recommendation 38: The OSD PSA for Biometrics, in coordination with 
and supported by the USD/P&R, should examine the model used to support and 
encourage the emergence of Information Assurance (lA) as a recognized and accredited 
academic discipline in the 1990s, in terms of its possible relevance for reproduction and 
application to IM/biometrics. 
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Recommendation 46: The OSD PSA for Biometrics, in coordination with 
appropriate authorities, should seek the creation of comprehensive security policy or 
policies for biometrics. Such policy should embrace all phases of developmental and 
operational use, and all other relevant considerations. 

e. DoD Organizational Issues 

**Note: Recommendations in this section are repeated in other categories. 

f. Legal and Privacy Issues 

Recommendation 40: The Department of Defense, if not the USG, must 
seek to engage responsible advocates of privacy early in the design and application of 
identity management systems; the serious purpose of the system must be communicated 
and understood; and, the data must be limited to that purpose. 

Recommendation 41: The OSD PSA for Biometrics should request a broad 
review by the Office of General Counsel (OGC) of the privacy implications of biometrics 
use within the Department, which should be coordinated with the Department of Justice. 
Based on the results the PSA, in coordination with the Defense Privacy Board and the 
OGC, should create comprehensive biometrics privacy policies and strategies as required 
to support the range of defense missions, consonant with interagency efforts (TF on 
Biometrics 86-92). 

Department of Defense involvement in the shaping of policy and doctrine 
was expressed in the Report with the understanding that it was no longer possible to 
operate in a vacuum. Higher level directives like HSPD-12 mandated that the DoD 
become actively involved with other governmental agencies, inter-governmental 
agencies, international agencies or allies, and the commercial sector. The DoD is 
inextricably linked with all of these entities and has too much at stake to not try to direct 
the activities of all the constituencies in evaluating biometric or IdM policy and doctrine. 
For example, the DoD shares and exchanges biometric data with the FBI through the 
FBI’s lAFIS database. Likewise, the DoD shares its biometric information with other 

federal departments like the Department of Homeland Security. In order to achieve true 
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global capabilities, the DoD must leverage its relationships to maximize interoperability, 
standardization, and economies of scale. Most importantly, the DoD needs to become an 
aetive stakeholder to ensure that international policies and technologies remain favorable 
to U.S. seeurity priorities (TF on Biometries 60). 

The TF ends the report by relating the importance of biometrics in 
identification and verification to the process of personnel security. Government agencies 
and departments expend a lot of resources to properly vett personnel attempting to attain 
security clearances. These elearances will then be used to protect our nation’s most 
important security information and systems. Without tying a biometric to the individual 
investigated and possibly polygraphed, it is still possible for that person to fake their 
identity. When understood from this perspective, biometries would elearly add a much 
higher level of identity assuranee when used to identify government eontraetors or new 
recruits as it would throughout the personnel security process. 
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III. CURRENT DOD BIOMETRICS OPERATIONS: THE 
BIOMETRICS TASK FORCE 


A. INTRODUCTION 

In this chapter, a detailed overview of the operational component of the 
Biometrics Task Force (BTF)—Biometrics Operations Directorate located in Clarksburg, 
West Virginia is explored. If someone wants to know what the Department of Defense is 
doing on a daily basis in regards to operational IdM, one of the best places to start is the 
Biometrics Task Force Formerly known as the Biometrics Fusion Center, this specific 
facility is now referred to as the Biometrics Task Force — West. The Plans and Policy 
component of the BTF, generally referred to as BTF — East, is located in Crystal City, 
VA. Details and information about BTF operations were gathered from a personal tour 
of the facilities on December 16, 2008 and from the Unclassified materials supplied by 
the BTF — West personnel.^ 

B. BACKGROUND & COMMAND STRUCTURE 

1. Background 

Following a study commissioned by Congress in 1999, it was determined that 
biometrics was an emerging technology that would have a significant impact on 
Department of Defense operations. As such, the use of biometric technologies needed to 
be coordinated, standardized, and funded. The Biometrics Management Office (BMO) 
was established in 2000 under the Army’s Chief Information Officer (CIO) with the 
Secretary of the Army as the Executive Agent for the DoD. This action made the BMO 
the epicenter for all things biometrics in and among all the services and DoD agencies. 


Specifically, I was able to coordinate the tour through Theresa Marinaro, BTF-W Office Assistant. 
My knowledgeable tour guide and general BTF representative was David Phares, Senior Project Manager 
with Computer Sciences Corporation (CSC). The following people also generously made themselves 
available to answer my litany of questions during the tour: Kim Quinn of 13 — Deputy Operations 
Manager, DoD Enterprise Systems; Lauren — Ten Print / Latent Print Evaluator Supervisor; plus Karla 
Buckel and Robert Peters — Hardware Test Engineers also with CSC. 
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BMO focused primarily on Information Assurance (lA), specifically network access, but 
has iteratively broadened its scope as technology and operational requirements have 
evolved (Biometries Task Force). 

Figure 3 below shows the most eurrent ehain of eommand for both BTF East and 
West. The Secretary of the Army is Executive Agent (EA) who further delineated the 
Army G-3 as its acting EA. The Secretary as Executive Agent reports to the Principal 
Staff Assistant (PSA) — Director, Defense Researeh and Engineering (DDRE) — 
Direetor, Defense Biometries (DDB). Eigure 3 also demonstrates the myriad of military 
and interagency relationships focused on biometrics within the DoD and U.S. 
Government (Lohman). 
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Figure 3. Biometrics Task Force Chain of Command 


2. Biometrics Task Force Structure 

Internally, the Biometrics Task Force has grown substantially since 2000 to 
include all of the directors, directorates, divisions displayed in Figure 4 (Lohman). The 
facilities of the Biometrics Operations Direetorate (BOD) that I speeifieally toured or was 
exposed to in one form or fashion — Operations, Resource & Support, and Technical 
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Management Divisions; as well as the twelve branches supporting the Directorate — are 
located in Clarksburg, WV. The divisions and branches of the Biometrics Integration 
Directorate (BID) are located in Crystal City, VA. There is a clear and purposeful 
separation of the operational side of the house from the policy and plans side. One of the 
strongest reasons is to maximize and build upon the relationship between the FBI 
Criminal Justice Information Services (CJIS) and BTF operational elements (Zanger). 
This research will focus mainly on the Biometrics Operations Directorate of the BTF. 


BTF Organizational Chart 
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Biometrics Task Force Organizational Chart 


3. Biometrics Operations Directorate 

The Biometrics Operations Directorate has three main jobs: (1) operate the 
Automated Biometrics Identification System (ABIS) database containing Red and Gray 
Forces biometrics data, (2) test and evaluate biometrics equipment, and (3) support field 
operations of the equipment in use by the Services whether in theater or in the 
Continental United States (Biometrics Task Force). Within the Biometrics Operations 
Directorate, there are three divisions with one being the Operations Division. The 
Operations Division has two missions. The first mission is to provide immediate and 
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direct support to biometrics cells in Iraq and Afghanistan. The Operations Division 
accomplishes this by being responsible for coordinating and managing issues and 
requests for information from the Combatant Commanders (COCOM) on all matters 
biometrics. Its second role is to drive efforts throughout the Joint Forces to establish 
comprehensive biometrics training programs. This longer term goal focuses on creating 
biometrics organizations within all COCOMs, developing a premiere operations center to 
support worldwide biometrics operations, and institutionalizing biometrics training 
(Biometrics Task Force). 

In order to help emphasize the push that biometrics was moving from theory to 
operations, the BTF was transferred from the Army’s Communications, Information, and 
Systems Directorate (CIO/G-6) to the Training and Operations Directorate (G-3/5/7) 
during FY07. In addition, the Army and BTF deployed a Biometrics Torch Party to Iraq 
in early 2007 to begin standardizing issuance and training of biometrics equipment to 
units, developing biometrics concepts of operations (CONOPS) and standard operating 
procedures (SOPs), as well as increasing enrollments and watch list nominations. The 
success of these Torch Parties in both Iraq and Afghanistan has led to approved Joint 
Manning Documents that will create permanent 11-man biometrics cells within both 
theater Headquarters (Biometrics Task Force). 

The second and third divisions within the Biometrics Operations Directorate are 
the Resources & Support Division (R&SD) and the Technical Management Division 
(TMD). The Resources and Support Division of the Operations Directorate exists simply 
and plainly to support the BTF. R&SD and its branches implement information 
technology, maintain overall security of facilities and resources, and manage all BTF 
resources across the DoD to support the Executive Manager for DoD Biometrics. The 
Technical Management Division ensures the integrity and availability of the DoD’s 
biometrics data for appropriate users, and performs assessment, integration, 
interoperability, and testing of biometrics devices (Biometrics Task Force). All new 
biometrics equipment must be tested and evaluated to ensure compliance with applicable 
ABIS and data standards. In short, it has to be able to interface with ABIS and not create 
any vulnerability to the database (Zanger). 
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4. 


Joint Forces Initiatives 


Although not specifically part of any Biometrics Operations Directorate mission 
or focus, it is important to understand how the results of the Operations Directorate are 
implemented around the globe in a theater’s daily operations. Through the Joint, 
Interagency, Multinational Coordination Branch of the BID, the Biometrics Task Force 
works directly with most of the Army’s sister Services in developing, testing, and 
fielding biometrics technologies. More directly, the coordination between the Biometrics 
Task Force, U.S. Navy, and United States Marines Corp (USMC) has created substantial 
gains in biometric capabilities directed toward the Global War on Terrorism. The U.S. 
Navy (since 2000 when it assigned its first liaison to the BTF) and the USMC (since 2005 
when it did the same) have been collaborating with the BTF on multiple IdM and 
biometric activities. The following is a highlighted list of accomplishments that have 
occurred up to and through FY07 (Biometrics Task Force): 

a. Expanded Maritime Interception Operations (EMIO) 

To support the collection and processing of biometric activities during 
Visit, Board, Search, and Seizure (VBSS) operations, the BTF worked with the Navy to 
identify and purchase robust biometric equipment; to develop data transmission 
standards; and, to establish appropriate procedures. The BTF’s Automated Biometrics 
Identification System (ABIS) provides near real-time search and response capabilities. 

EMIO Wireless Bridge. Navy and BTF worked to develop a 
wireless transmission capability compatible with ABIS. 30-plus ships are funded by the 
Navy for the Wireless Bridge capability. 

Tactical Biometrics Collection and Matching System (TBCMS). 
BTF provided funds to the Navy to develop a small, lightweight, ruggedized system to 
replace initial bulky biometric systems used for VBSS. TCBMS was delivered in FY 07 
after the BTF completed laboratory and ABIS compatibility testing. 


35 



b. Identity Dominance System (IDS) 


BTF has supported Navy efforts for a holistic multimodal biometrics 
system of collection and verification that is scalable to different mission profiles. IDS is 
being designed for interoperability, adherence to technical standards / policies, and 
network security accreditation. In particular, the BTF has supported the Navy’s efforts 
with document reviews, recommendations, and support through the Joint Staff review 
process. 


c. USMC Biometr ic BA T- HIIDE ( Biometrics Automated Toolset 

— Handheld Intern gency Me ntity Dete ction Equipment) 

Collaboration Initiatives 

(1) Fielded BAT and HIIDE training elements at Marine Air- 
Ground Task Force (MAGTF) Integrated Systems Training Centers for each Marine 
Expeditionary Force (MEF). 

(2) Provided BAT and HIIDE equipment to the USMC 
Corrections Specialist School at Lackland AFB. 

(3) Successfully conducted first, complete, biometrics, data 
refresh while underway during pre-deployment work-ups with the 22"*^ Marine 
Expeditionary Unit (MEU). 

(4) Deployed 17 biometric field engineers to support Marines 
at the battalion level assigned to Multinational Eorces — West. 

d. Latent Print Laboratory 

In coordination with Joint Chiefs of Staff, USN, BTF, and Naval Criminal 
Investigative Service (NCIS), established a Latent Print Laboratory at Camp Fallujah, 
Iraq to process latent fingerprints from military and terrorist crime scenes. 
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C. THE DOD BIOMETRICS DATABASE — AUTOMATED BIOMETRICS 

IDENTIFICATION SYSTEM (ABIS) 

1. The Evolution of ABIS 

Following the terrorist attacks on September 11, 2001, the DoD evolved its vision 
for biometrics to include the positive identification of known and suspected terrorists. In 
addition to expanding the original intent of securing U.S. facilities and networks, the 
BMO and BFC would now have to generate a biometrics data collection, transmission, 
and storage system comparable to and compatible with the FBI’s Integrated Automated 
Fingerprint Identification System (lAFIS) (Biometrics Task Force). Three years later the 
DoD’s Automated Biometrics Identification System (ABIS) became operational. ABIS 
serves as THE central storage for all DoD biometrics data, as well as being able to 
functionally cross-reference and exchange data with the FBI’s lAFIS. ABIS is physically 
located in the BTF — West facilities in Clarksburg. It is currently manned twenty-four 
hours a day/ seven days a week by contractors thanks to increases in manning and 
budgets, as compared to initially being manned on an as needed basis outside normal 
hours. The day-to-day operation and maintenance of ABIS is being maintained under a 
Northrop- Grumman contract until the contract comes up for renewal at the end of FY 
2009 (Zanger). 


2. Basic Daily Operation 

So how does ABIS basically work? The quad-chart in Figure 5 below gives a 
good visual summary of ABIS and its functioning (Quinn). The ABIS operations center 
at BTF — West is manned 24/ 7 by a Biometrics Examination Services Team (BEST) in 
support of operations around the globe. They can send and receive data over Unclassified 
and Classified networks depending on the customer and their capabilities. Within a small 
room in the BTF — West facilities, there are a large number of widescreen TVs and 
monitors that display a constant flow of requested fingerprint analysis against the ABIS 
and/or lAFIS databases. These requests are monitored by specially trained 13 personnel 
who verify each transaction for compatibility with the ABIS database; make appropriate 
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changes to requests as necessary to ensure completeness; or, pass along the request to a 
Latent Print or Ten-Print Examiner (LPE or TPE) for further investigation when there is 
no match in the database (Zanger). Each request coming in from around the world must 
be structured as close as possible to the Electronic Biometrics Transmission Specification 
(EBTS) to be processed by DoD’s ABIS or the EBTs lAEIS. Without the correct 
structure, it is difficult, sometimes impossible, for the ABIS operators to efficiently or 
effectively conduct a database query. 


ABIS Overview 
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Figure 5. ABIS Quad-Chart Overview 


It is important to recognize the continuing need for a “person-in-the-loop” 
regarding ten print and latent print evaluators any time ABIS or I APIS does not generate 
a match. The dedicated TPE’s and LPE’s support BEST operations 24/7 alongside the 
ABIS operators. TPE’s and LPE’s also share the same office space in close proximity to 
their ABIS operator brethren. This closeness enables greater coordination and efficiency 
in supporting the boots on the ground. The manual process of evaluating partial, 
fragmented, or distorted fingerprints will continue to be required until an ABIS or 
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database querying algorithm is created that can work off the smallest portion of a 
fingerprint. The algorithms are getting better all the time, but this will probably still not 
happen anytime soon. Meanwhile, operators are still sending to the BTF old fashioned, 
black ink, individual finger rolled print cards (Zanger). 

3. The Identity Dominance Process 

Within the DoD’s IdM and biometrics lexicon, the formal process from ground 
pounder to the database and back to the ground pounder is known as the Identity 
Dominance Process. The Identity Dominance Process is comprised of five steps: (1) 
Collection, (2) Transmission, (3) Matching, (4) Storing / Sharing, and (5) Analysis. 
Collection is performed at the pointy end of the spear where multimodal biometrics data, 
biographical data, and contextual event data about the circumstances surrounding the 
reason for the collection are gathered and logged. Transmission is self-explanatory and 
occurs by any means possible or available to the user /customer (e.g., NIPR, SIPR, 
SAT...). However sent, the data must somehow reach the biometrics repository. 
Matching occurs either automatically through a database query or manually through 
human fingerprint examiners (e.g., TPE or LPE). Storing and sharing involves the 
requirement that every piece of data sent, no matter how small, is permanently collected 
for potential future use. Secondly, the results of the match query and the updated data are 
now transmitted back to the User and are made available for interagency sharing. Lastly, 
Analysis deals with the development of watch lists, possible exploitation by the 
Intelligence or Information Warfare communities, and Force Protection (Quinn). Figure 
6 presents a current example of the Identity Dominance Process. 


39 



BipmetriP5 Transmlssipns OEF & OIF 



Spiral lonal iThtotirjl 
Livwl 


— 

BadNp ] 

Raply I 


MMktKiWMMf imH 




NsCiooal/ &tnil«gk^ 
L«vbk 


Figure 6. Identity Dominance Process Overview 


4. ABIS 2.0: NGA — Next Generation ABIS 

In January 2009, a major upgrade to the current ABIS system — NGA or Next 

Generation ABIS — became operational (Zanger). It provides qualitative improvements 

over ABIS 1.0 in a multitude of areas. One of the most prominent will be NGA’s ability 

to process multi-modal (fingerprints, iris, face, palm...) biometrics data. Early 

operational results have shown that NGA can process biometrics in roughly one-third the 

time of ABIS 1.0. It has also been able to positively match and ID a greater percentage 

of known or suspected terrorists due to its multi-modal capabilities. To make the new 

system more manageable, scalable and responsive, NGA was originally designed to be 

partitioned into four different functional levels: Enterprise, Operational, Regional, and 

Man-portable. The Enterprise ABIS is the ‘Master Database’ comprised of all Red and 

Gray Forces biometrics and relevant data with an initial capacity for over 2 million 

records. Operational ABIS (e.g., CENTCOM) was expected to be a subset of 

approximately 500K to 2 million records that will be populated with likely individuals to 

be encountered in a specific AOR. Regional ABIS (e.g., CJTF-HOA) was to be 

comprised of roughly 20K to 1 million individuals likely to be encountered. Man- 
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portable ABIS (e.g., Special Forces Operations) was proposed to be loaded onto 
ruggedized laptops with databases configured for specific mission needs. Operational 
and Regional ABIS records were to be located on separate blade servers in the overall 
Enterprise ABIS server system. Operational, Regional, and Man-portable were all to be 
fully recoverable and replicated from the Enterprise database as often as required or 
requested. Each level was also to have Latent/Ten-print Examiner (LPE/TPE) 
capabilities of one extent or another. Finally, all levels were to be integrated into a Terror 
Watchlist (Quinn). In the end, however, NGA was able to avoid all the redundancy of 
data and resources without diminishing capability. Operational connectivity in various 
AOR’s are required to maintain such a specific capacity that NIPR, SIPR, and wireless 
network connections have the capability to connect directly with NGA. Therefore, 
Operational, Regional, and Man-portable versions of NGA have become unnecessary. A 
summary visual of the originally proposed system is provided below in Figure 7. 
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Figure 7. Next Generation ABIS Overview 
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D. RELATIONSHIPS AND THE FUTURE 


1. The BTF and FBI 

As mentioned earlier, a major impetus behind the original Biometrics Fusion 
Center (BFC) was to take advantage of the FBFs technological capabilities and 
institutional knowledge about biometrics. A lot of the BFC’s original biometrics 
operational concepts and database structure were heavily influenced on known, tested 
FBI capabilities. Not by coincidence, the Federal Bureau of Investigations also has its 
CJIS campus located in Clarksburg, WV (Zanger)^. To continue to foster interagency 
teamwork, current long range DoD plans are for the BTF to partner with the FBI to build 
a joint BTF-W and FBI CJIS facility on CJIS’s current property. The DoD has already 
programmed funding for the joint facility, whereas the FBI is still awaiting funding 
approval. If the FBI is unable to procure funding, the DoD will fall back to a planned 
separate facility co-located on the CJIS property. In either case, the intent is to continue 
to leverage each other’s capabilities and maximize the potential from interoperable, 
interagency biometrics capabilities (Biometrics Task Force). 

2. The Near Term 

Although the primary focus will always be on supporting the Warfighter, the 
Biometrics Task Force is collaborating with other services and agencies to move beyond 
just evaluating technologies that identify Red Forces or Grey Forces. The near-term has 
seen a shift towards more active design, testing, and implementation of Blue Force 
business process biometrics (Zanger). Such biometrics business processes include uses 
for health care records, prescription drugs, financial transactions. Humanitarian 
Assistance, Refugee Tracking, First Responders, and even re-enlistments. One of the 
more prominent programs is IDProTECT, or Identification-based Decision Processes to 
Enable Confident Transactions. IDProTECT is working towards providing a deployable 
system to enroll, verify, identify, and extract fingerprint and iris biometrics for members 

^ The location of both facilities so near each other had some help from an important individual. Each 
owes a lot to the Senior Senator from West Virginia — Robert C. Byrd. 
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who are eligible for enrollment in the Defense Manpower Data Center. The goal is to 
make IDProTECT a net-centric capable system that can store, search, and match 
multimodal biometrics that can operate within current privacy acts, laws, and policies 
(Lohman). Figure 8 below shows the IDProTECT concept in an informative quad chart. 
Programs like this are intended to help the DoD and her agencies to more accurately 
identify and track their own people and what business activities they can or cannot 
undertake. This is the next wave in biometrics for the DoD and the Biometrics Task 
Force. 


IDProTECT 
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Figure 8. IDProTECT Overview 


43 























THIS PAGE INTENTIONALLY LEFT BLANK 


44 



IV. BIOMETRIC MODALITIES & FUTURE OPTIONS 


A. CURRENT POPULAR BIOMETRIC MODALITIES 

1. Basic Biometrics Concepts 

Biometrics are simply measurable characteristics of an individual. These 
characteristics can be subdivided into two categories — anatomical and behavioral. 
Examples of anatomical biometrics are fingers, iris, face, and hands. Anatomical 
biometrics systems account for the vast majority of past and present biometric systems. 
Behavioral biometrics includes models such as signature, gate or walking, and even 
typing rhythm. Although these might offer the potential to be more discriminating from 
anatomical biometrics, they are more difficult to measure because of variances across 
time. If, for example, a biometric system is able to positively ID an individual by his 
gate, would that same system be able to positively ID the same individual with a broken 
leg? 

Despite biometric systems and technology slowly becoming more typical, 
biometrics has specific issues that do not help promote faster trust and integration. The 
biggest of these concerns is the lack of standardization. It most cases individual vendors 
are creating proprietary equipment that can only be used as per their specifications. 
Biometrics has not become a truly plug-and-play resource. Within the DoD, this issue is 
partially being addressed by the BTF. All new operational biometrics systems are 
technically supposed to be tested through the BTF before being deployed. In most cases 
this is happening, but there are still outliers such as Special Operations Command who 
test and field their biometrics independently. Appendix C gives a concise representation 
of biometrics timeline within the USG for the most significant biometric milestones since 
1967 (National Science & Technology Council 8-11). Proprietary systems lead to other 
issues like a lack of interoperability or scalability. As mandated or self-imposed 
standards evolve within the biometrics community, large business with the resources to 
implement biometrics will no longer be the only ones capable of doing so. Standards will 
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allow businesses of any scale to install and leverage biometrics with whatever technology 
they currently operate. Lastly, biometric systems and their use have sometimes acquired 
a connotation with an Orwellian Big Brother keeping track of every strand of DNA or 
personal detail. A lack of general public knowledge on biometrics combined with a lack 
of open discussion and detailed product advertising has created an atmosphere of the 
unknown when it comes to biometrics. Whatever the public does not understand, it will 
not feel comfortable purchasing, let alone using. 

If biometrics is to become as ubiquitous as USB thumb drives, the biometrics 
community and the federal government need to do more than let technology early 
adapters drive the momentum. Appendix D highlights some operational milestones of 
biometrics within the federal government (National Science & Technology Council 23- 
24). Privacy issues can be countered with information like the fact that biometric data is 
separate from personal data. Proprietary or otherwise developed biometrics systems take 
individual biometrics and process them through separate software algorithms. These 
algorithms have been shown to be fully resistant to reverse-engineering back to the 
original biometric (National Biometric Security Project 5; sec. 1). Because biometrics 
connect an individual to a stored digital identity, a business or organization can use this 
identity to allow or restrict both physical and logical access to resources. Information 
assurance and MM specialists can work with network administrators to set access 
controls appropriate for the individual’s role. If incorporated properly, an organization 
can save resources in both time and money by using biometrics throughout its operations. 
With the growing access to and falling prices for biometrics, the average user can buy 
information systems, like a laptop, with biometrics incorporated for a small additional 
price. As these individual users become more comfortable with biometrics and 
personally see their value, the word will spread more rapidly. This thesis was produced 
on a Dell laptop with a fingerprint biometric reader. Being one of the basic users in the 
population, I have personally benefitted from the ease of use and added security of 
biometrics. Every laptop I buy in the future will have a biometric reader for security as a 
result of the confidence I have from their use, whether it comes pre-installed or as an 
added option. 
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In the Identity Triad mentioned in Chapter 2, biometrics gives the highest level of 
assurance by enabling identification through “something you are,” over “something you 
know” and “something you have.” Regardless of the improved capability to ID an 
individual, biometrics is not seen as the end-all to identification. The common belief is 
that biometrics should be used in combination with other technologies to offer true strong 
authentication (e.g.. Use of CAC, strong passwords, and biometrics to be identified and 
verified by an IdM system). The level of security required for physical and logical access 
to a specific system or facility will determine the necessary combinations of technologies. 

All biometric systems process biometrics in essentially the same manner, just 
through different technologies. Each system is a pattern recognition system that is used 
to collect a biometric for enrollment, process the captured biometric using vendor-based 
algorithms, and then store or attempt to compare for identification or verification to an 
enrolled digital template of the biometric. This basic process is depicted in Figure 9 
(National Biometric Security Project 6; sec. 2). The captured digital biometric is often 
referred to as the biometric template from which all other potential identifications or 
verifications will be referenced against. Templates are frequently referenced against a 
token or password for greater access control depending on the level of security desired. 
With some technologies, it is necessary to collect multiple images in order to generate a 
quality template. A biometric systems’ ability to generate a quality template for future 
use, and therefore determine its utility, is dependent on the software’s algorithm 
processing. As has been mentioned previously, the difficulty with incorporating 
biometric systems into existing information architectures is the proprietary algorithms by 
which individual companies enroll and verify biometrics require excess resources to 
adapt. 
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Figure 9. General Biometric System 


Because each biometric technology has strengths and weaknesses based on the 
intended application, it is important to have a complete and clear understanding of the 
intended usage for the biometric before researching or purchasing the technology. The 
following is a list of categories that can be used to evaluate the application of a biometric: 

1) Overt or covert systems —Will the user proactively and knowingly be 
identified by the system or will it be designed to covertly scan the secured 
area? Either way, a person must have a biometric template on file for 
him/her to be recognized. 

2) Voluntary or involuntary systems —Will system users be required to 
participate in the system to receive access or benefits, or are there opt-out 
or work-around options? 

3) Attended or non-attended systems —Will the system be designed for 
people to use in a remote location, without assistance? Or will users 
always have technical assistance and/or attendants available? Involuntary 
and/or covert systems may always require supervision or attendance to 
monitor system use. Voluntary and/or overt systems may be “unattended.” 

4) Standard or non-standard operating environments —How much 
customization will be required for the readers to operate appropriately and 
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the network to communicate and function properly? Will the system be 
used outdoors or indoors? Outdoors environments typically fall into “non¬ 
standard” operating environments. 

5) Public or private systems—Is the use of the biometric system for a 
public program or access to a public facility, or for access to a private 
company or information? Cooperation with the biometric system can often 
be directly attributed to whether a system is public or private (i.e., 
employees). 

6) Physical security and access control—Are users trying to gain access to 
a facility or area? 

7) Cyber and computer/network security—Are users trying to gain access 
to a computer or protect information on a computer or the Internet? 

8) Identification—Is the biometric being used for identification purposes for 
access to benefits, information, border crossing, licensing, etc.? (National 
Biometric Security Project 10-12; sec. 2). 

Biometrics can generate positive identifications in one of two modes — 
identification or verification. When operating in an identification mode, a biometrics 
system is attempting to determine whether or not a given biometric sample matches any 
of all known biometric templates within a system’s database. This is often referred to as 
a one-to-many (1:N) or open-set identification and is used in applications applicable to 
law enforcement or terrorist watch lists. The verification process attempts to match a 
given biometric template against a stored template for a specific user. This is often 
referred to as a one-to-one (1:1) or closed-set identification. During the enrollment 
process, the user associates their name, and ID number, or even a token with their 
biometric template to later verify their identity (National Biometric Security Project 12; 
sec. 2). Because no system works to one hundred percent perfection, there are two 
general classes of possible errors that biometrics can create during identification or 
verification. The first is a comparison error where the machine’s functioning can 
generate either a false match or false non-match. A false match is an incorrect template 
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match to a given biometric. A false non-match is a false conclusion that a given template 
is not in the system’s database. A second class of error is a decision error based on the 
erroneous assessment from a comparison error (National Biometric Security Project 14; 
sec. 2). When a system mistakenly matches a given biometric to a database template, the 
system’s application generates a false accept and allows access to the system as a result. 
Further, the probability that this will actually occur with a particular system’s application 
is known as the false accept rate — FAR. If the biometric system’s application 
mistakenly concludes that a given biometric template does not reside in the database, the 
application generates a false reject and will deny access. Probability of the application 
rejecting a valid biometric is termed ihc false reject rate — FRR. 

Although not all encompassing by any means, the previous paragraphs offer 
enough detail to allow a generalized understanding and details by which to compare 
different biometric technologies. More thorough comparisons of the technologies would 
require researching the ease of different biometrics to enroll Users, different template 
storage options, specific components of biometric systems, operational applications for 
biometrics, and how different biometrics perform in specific IdM architectures. These 
fall outside the intended scope of this thesis, and can be researched separately. 

2. Fingerprint Recognition 

Fingerprint recognition is the oldest and most widely used biometric for both 
business and operational processes. British law enforcement first began to use manual 
fingerprint identification of criminals in the late nineteenth century. In the 1960s, 
fingerprint recognition and identification began to move from a manual to an automated 
process with the introduction of computers. With the assistance of the National Institute 
for Standards and Technology (NIST), the FBI began to research the automatic 
classification, searching and matching of fingerprints in the late 1960s (NSTC — 
Fingerprint 1). Over the next thirty years, the FBI progressed from basic scanners and 
automated inked fingerprint digitizers to the current fully automated lAFIS system 
described brifely in Chapter III. Despite initial roll-outs of stand-alone state and 
international law enforcement fingerprint recognition systems based on individual 
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standards, fingerprint recognition systems both within the U.S. and internationally have 
increasingly adopted common standards to allow greater exchange of fingerprint data. 

A digital scan or manual roll of a fingerprint will look like a series of alternating 
dark and white lines. The dark portions of the fingerprint represent ridges, and the white 
space valleys. The location where ridges stop are termed ridge endings. Where the 
ridges split are termed ridge bifurcations. Ridge endings and bifurcations are further 
known as fingerprint minutae. In the most general sense, the patterns created by these 
two distinguishing features or the location of specific minutae help build a model for 
individual fingerprints that can be used to uniquely ID someone. Fingerprint recognition 
software is generally designed to either match overall fingerprint patterns or minutae 
patterns. Figure 10 gives an example of different types of fingerprint images and 
terminology to describe features (NSTC — Fingerprint 3). Hardware can collect 
fingerprints individually, four to five fingers at a time, or all ten fingerprints 
simultaneously. These collections can then either be slap or rolled. Slapped fingerprints 
collect an image from the fingernail to the first knuckle. Rolled prints collect images 
from one side of a fingernail to the other side. The best device to use will varies by the 
time available to capture images and the intended purpose of the fingerprint system. 



Endtn^ 





Figure 10. General Fingerprint Characteristics 
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3. 


Iris Recognition 


Iris recognition is one of the newer biometric modalities used today in IdM. An 
automated method for recognizing irises did not receive a patent until 1994 (NSTC — 
Iris 1). Iris recognition is reasonably straight-forward. The structure or pattern and color 
of an individual’s irises are developed prior to birth and remain stable over a lifetime. 
Even though an person’s irises are genetically the same, their individual irises have 
separate and distinct patterns. To perform iris recognition, a digital image of the pattern 
in an iris is collected and quantified using a low or high-resolution camera. Before the 
image can be taken, however, the iris must be localized to exclude “image noise’’ from 
eyelashes, eyelids, pupils, reflections (NSTC — Iris 2). The collected image is then 
mapped by dividing the iris into phasors or segments. Each phasor is mapped for its 
orientation within the iris along with the iris’ individual pattern. The final image 
generated is referred to as an IrisCode® and becomes the basis for future comparisons. 
Figure 11 visually represents both the basic structure of an eye and two sample irises. 



Figure 11. Iris Diagram and Structure 

4. Facial Recognition 

Facial recognition is reasonably one of the most innate biometric modalities since 
most people use the face to recognize one another anyway. Despite the intuitiveness of 
facial recognition as a concept, the process of facial recognition is far from being 
standardized with any specific recognition method dominating. The different approaches 
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to facial recognition are geometric (facial features based), photometric (view based), and 
algorithm based. Within the algorithm based approach, there are three major types of 
algorithms — Principal Components Analysis (PCA), Linear Diseriminant Analysis 
(LDA), and Elastie Bunch Graph Matching (EBGM) (NSTC — Face 2). PCA uses a 
collected image in comparison to a gallery of algorithmic generated images referred to as 
eigenfaces^. Both the collected and gallery images generally require a full frontal image. 
LDA uses a statistically analytic algorithm to classify an image against within-class 
(within individual’s class of photos) or against samples of images between-class (aeross 
all individual image elasses) (NSTC — Faee 3). EBGM foeuses on the non-linear 
characteristics of real images such as pose, illumination, or expression to generate an 
elastic grid image with “Gabor jets” that mark distinctive facial nodes (National 
Biometric Security Project 7; sec. 3). The three algorithms are visualized in Figure 12. 




Figure 12. 


(1) PCA, (2) LDA and (3) EBGM Faeial Reeognition Examples 


^ Eigenfaces is derived from the well known mathematical technique of Principal Component Analysis 
based on eigen vectors. 
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B. BEHAVIORAL BIOMETRICS 


1. Overview of Behavioral Biometrics 

Behavioral biometrics are defined as behavioral traits learned and acquired over 
time, rather than ones based primarily on biology (National Biometric Security Project 
41; sec. 2). The most dominant forms of behavioral biometrics are voice recognition and 
dynamic signature. Newer potential behavioral biometrics include gait recognition (i.e., 
the manner in which a person walks) and typing recognition. Using behavioral 
biometrics can add a fourth dimension — something you do — to the ID Trinity as a 
result of the obvious requirement for the individual to perform an action as part of the 
verification process. This fourth dimension strengthens the security benefits of one or 
more of the original three forms of the ID Trinity when used in combination. This should 
intuitively make sense. If a static biometric statistically offers the highest level of 
certainty in positive identification, a behavioral biometric which is acquired over years of 
repetition and also distinctly personal will provide an even greater magnitude of certainty 
if appropriately processed. The ability to generate an algorithm which quickly and 
without excessive repetition captures a template, and then make minute adjustments over 
time, is the hurdle to overcome for successful behavioral biometrics. 

2. Voice Recognition 

Voice recognition, sometimes also referred to as speaker verification, is a 
behavioral biometric that uses the voice of an individual to positively make an 
authentication. Each person’s voice is influenced by the physical structure of their vocal 
tract as well as behavioral characteristics like mouth movement and pronunciation. 
Voice recognition should not be confused with speech recognition that recognizes spoken 
words and is not a type of biometric. There are two forms of voice recognition — text- 
dependent and text-independent (NSTC — Speaker 2). When using the text-dependent 
method, an individual must present the same specific password or phrase used during 
enrollment. Text-dependent speaker recognition increases the performance of a 
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biometric system because the system has a preprogrammed model for comparison. Text- 
independent systems offer greater flexibility because there does not need to be any 
specific word of phrase for enrollment or verification. Speech variations in duration, 
intensity, or pitch are modeled into multiple vector “states” to be used for later 
verification. The representation of a voice sample plotting voice loudness in the top and 
voice spectral analysis in the bottom is shown in Figure 13. 



Figure 13. Speaker Recognition Voice Sample 


Voice recognition is a popular behavioral biometric because of its low cost and 
ease of use. A voice recognition system can be layered on top of already existing 
telephone or cell phone lines which reduce start-up and long-term infrastructure costs. 
Prevalent uses for voice recognition include physical access control to spaces, phone 
banking, call center authentication (e.g., home alarm systems), and even house arrest 
monitoring (National Biometric Security Project 43; sec.3). With the ability to verify an 
individual remotely, voice recognition can enable automated access to resources or 
services while simultaneously reducing overhead costs. Drawbacks include susceptibility 
to transmission noise, inability to control the system used for input if done remotely, and 
possible spoof attacks using a recorded voice (NSTC — Speaker 4). 
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3. Dynamic Signature Verification 

Dynamic signature verification collects dynamic data such as the speed, pressure, 
shape, and direction with which an individual writes their signature. After the capture of 
a few samples to form a template, all the individual is required to do is write their 
signature for future positive identification. Like many of the other biometrics, dynamic 
signature verification was not logically possible until computer systems were able to 
process such algorithms starting in the 1970s. As such, dynamic signature as a tool in 
IdM is a relatively new option. This biometric should not be confused with the 
ubiquitous electronic signature capture devices used in the retail or shopping industries. 
Electronic signature devices simply capture the physical signature for replication and are 
not a biometric. Figure 14 presents one of many possible options to input a dynamic 
signature, as well a visual representation of the actual signature and measurements 
(NSTC — Signature 1). 

Because dynamic signatures are nearly impossible to duplicate as compared to a 
static signature image, it is a very secure method to authenticate an individual. Some 
dynamic signature algorithms also incorporate learning functions which adjust the 
individual signature template to account for natural user variability over time. 



Figure 14. Dynamic Signature Input and Measurements Example 
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C. USE CASE: BLUE EORCE E-BUISNESS DYANMIC SIGNATURE 
VERIFICATION 

1. The Device: DynaSig Bio-Pen 

A dynamic signature biometric like the DynaSig Bio-Pen and accompanying Lock 
Box software is a flexible security and IdM tool. It is well suited for certain sectors of 
the business community, like the banking industry or package shipping industry, where 
identification and verification are mandatory requirements for business processes and 
auditing. Dynamic signature devices easily incorporate a readily used device — a pen — 
and accompanying software into current business operations. There is no need for any 
extensive vendor training, and only a minimal requirement on IT resources. Bank tellers 
and managers, for example, require an extensive auditing trail to ensure that both the 
bank and customer are protected from fraud. Signatures in combination with 
identification like a driver’s license have been the standard. The ability to capture in real¬ 
time and store indefinitely the verified digital signatures of both customer and bank 
employee helps nearly eliminate ID fraud and its enormous costs. 

The DynaSig Bio-Pen and Lock-Box software offer a simple, user friendly, 
behavioral biometric toolset for establishing and maintaining secure transactions, IdM, 
data protection, and a continuous auditing trail. Figure 15 shows a detailed view of the 
interior components of a Bio-Pen (Kim, Bio-Pen Presentation 6). The Bio-Pen collects 
motion, pressure, acceleration, timing... in all three axis — X, Y, and Z — through the 
onboard equipment. Each pen is individually serialized in the hardware to provide a 
unique ID to the owner and to the firmware when the USB is connected. Every time the 
Bio-Pen is used, it generates a unique code, equivalent to a time-stamp, to counter 
potential replay attacks. When an owner writes with the Bio-Pen, the software algorithm 
creates a unique “signature” that is combined with the two previous pieces of data, 
encrypted, and sent to the database for comparison (Kim, Bio-Pen White Paper: Security 
Features). The verified combination of all three pieces of encrypted data provides a high 
level of security and trust that the person using the pen and the dynamic signature 
presented are all valid. 
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Figure 15. DynaSig Bio-Pen Components 


Figure 16 displays some of the Bio-Pen tip and body options available. The Bio- 
Pen can be configured to work with an ink cartridge as a normal pen, with a stylus 
designed for PDA’s, or even with a stylus designed for Tablet PC’s (Kim, Bio-Pen 
Applications 5). The configuration of the pen is flexible to the business process or 
requirement, and is easily reconfigurable to move from one to the next. 


(1) liik i5i‘ Plfiilic Tip - Plablic Casing Cap): 



(2) liil; oi' Plri.'j'liv I'lp Mirliil Ca»iii£: 



(j) TiiLik[ (Digital Siv lift) Tip. 



Figure 16. DynaSig Bio-Pen Tip & Body Options 

Along with the digital measures of security explained previously, the combination 
Bio-Pen and Lock Box software offer some other distinct advantages: 

1. Writing a signature is an instinctive, habitual behavioral action. 

2. Nearly impossible to impersonate an individual dynamic signature. 

3. No passwords to lose or remember. 
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4. No personal data is created or attached to the system. 

5. Personal authentication can be accomplished from anywhere with an 
Internet connection. 

6. Highly scalable to the needs and size of an organization. 

7. Software adapts to dynamic signature variation over time through 
automated updates. 

8. Digital and, if desired, physical auditing data ensure non-repudiation. 

Like any other dynamic signature biometric, there are a few potential drawbacks 
depending on the working environment: 

1. Owner or User must be able to write a signature. 

2. Users with continuously variable signatures will have difficulty enrolling 
and verifying. 

3. Software must be able to adjust for variations in signature over time. 

4. Best applications are staff, administration, business, and e-business 
environments. 

2. The Scenario: Military Logistics Tracking and Authorization 

Twenty-four hours a day — seven days a week, the four U.S. military Services 
prepare, transport, and deliver vital military equipment and resources. Like many other 
global businesses, the four Services need to positively verify that the right materials were 
loaded onto the right transport, arrived at the right location, and were delivered to the 
intended customer on time. If something did not go according to the plan, there needs to 
be a secure real-time system that allows the logistical chain of command to access the 
most current information and determine a new course of action. The information which 
will be used for current and future planning can only be trusted if the individual updating 
the system can be verified for both positive identification and system access privileges, 
then has their verified identity attached to the data for non-repudiation and auditing. 
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Without a reliable verification tool as part of an Identity Management Architecture to 
assure these requirements, all information is suspect until proven otherwise. 

This problem has multiple parts that need to be addressed simultaneously in order 
to at least maintain or preferably improve the data entry, individual verification, and 
logistic processing timeline. Here are some of the more important questions that need to 
be addressed: How can the system positively ID each individual? Can there be 
assurance that the individual identified is not an imposter? How can the system then 
attach the ID to their data? How can the system ensure the individual entering data is 
authorized and accredited? Is it possible to do all this in real-time? Is there a method or 
device which ensures the highest level of security while not mandating added layers of 
requirements and resources? 

In short, yes. Specifically, the DynaSig Bio-Pen dynamic signature device can 
meet these requirements while easily integrating into whatever logistics process is being 
performed. From the moment resources are ordered, an audit trail is being produced for 
current and future use. The person who orders the materials can either do it in person 
with physical paperwork, or more expeditiously through digital documents. The 
customer must be verified and offer proof of eligibility by generally signing a document. 
Whether in a physical or digital signature, the Bio-Pen dynamic signature device can be 
used to complete the order. From this stage and at every logistic point of processing 
thereafter, each individual offers their signature as part of the process. Their verified 
signature will instantaneously and automatically be added to the business process 
documents, as well as the systems’ auditing mechanism. This data will then be available 
to all access approved individuals. Even if a physical auditing trail is required at one 
specific location, the Bio-Pen can simultaneously write an ink signature and digital 
signature fulfilling the requirement. 

At any point in the process a higher degree of security such as CAC access to an 

information system can be added. Individual commands can tailor their specific security 

requirements while the entire system is assured of the data and the data’s owner. 

Dynamic signatures provide a nearly impossible to duplicate behavioral biometric with 

an inherently high level of security. If a product like the DynaSig Bio-Pen is 
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incorporated into the process, the individual using the pen will be known to have been 
vetted for and given specific access control privileges. A DynaSig Bio-Pen would be 
ubiquitous in its operation because everyone throughout the chain of command has or is 
required to use their signature at some point. There is no requirement for any form of 
training. In summary, a DynaSig Bio-Pen is a low cost, easy to use, behavioral biometric 
that scales to even the largest enterprise architecture. A dynamic signature verification 
process layered onto any logistical process instantly provides increased IdM, security, 
and accountability with little or no system modification. 
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V. SUMMARY AND RECOMMENDATIONS 


A. SUMMARY 

The federal government and all its agencies are working very hard to determine 
how best to implement a realistic and executable Federal Identity Management 
Enterprise. Simultaneously, these efforts are not being effectively coordinated despite 
the unanimous understanding that standardization and coordination are necessary key 
elements. Regardless of the necessity or agreement, there are always agencies, 
departments or individuals who do not want to share their information or feel only their 
ideas are acceptable. These issues are unavoidable and serve only to slow the IdM 
Enterprise from gaining momentum and being implemented. Despite the real or 
perceived roadblocks, progress is being made towards universal solutions. Eventual IdM 
Enterprise systems will spring from the systems being used and developed today. In the 
DoD, such precursor systems include the Biometric Identification System for Access 
(EISA) used to identify non-military personnel trying to gain access to coalition facilities, 
or the Defense Biometrics Identifications System (DBIDS) which verifies personnel 
trying to gain access to U.S. military facilities and is operated by the Defense Manpower 
Data Center (DMDC) through military law enforcement. Individual systems like these 
will be evaluated over time for ease of use, security of data, effectiveness, and scalability. 
Systems that excel will be expanded. The rest will be discontinued. Other federal 
departments like the Department of Homeland Security and Department of Justice are 
experimenting with systems in a likewise fashion. In the future, all of these systems will 
be integrated in either a logical or physical fashion to support a holistic Eederal IdM 
Enterprise. 

This thesis attempted to take a snapshot in time of the current state of affairs in 
federal IdM and biometrics, while specifically focusing on the Department of Defense. 
The information contained in this thesis is by no means all encompassing. It should be 
considered nothing more than a significant primer on the subjects at best. Necessary and 
substantial topics that will also need to be addressed include: (1) legal issues concerning 
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the collection, storage, and use of U.S. citizen personal data; (2) social implications to 
gaining widespread use and trust of identity management tools like biometrics; and, (3) 
development of standards that enable physically separate systems to exchange data 
logically in order to meet operational or business needs. No holistic solution is possible 
without addressing and presenting long-term solutions that stay within the boundaries of 
the U.S. Constitution, meet process requirements, and guarantee the security and integrity 
of the data. 

B. RECOMMENDATIONS 

The field of Identity Management does not have the recognition or precedence 
behind it commensurate with its current value. Every day people are walking across U.S. 
borders or landing at U.S. airports trying to gain access to the nation. No one needs to be 
reminded the country is at war, and the requirement for maintaining the security of 
American citizens never stops. Billions of tax-payer funded dollars are stolen annually 
through identity theft because minimally paid or under skilled workers are entrusted with 
safeguarding personal data on technology they do not understand. Even worse, these 
federal or state employees sometimes just sell the data or credentials to make a quick 
buck without regard to their fellow citizens and to the damage to their country. What do 
agencies do when breaches happen? In some cases, the incidence and its details are kept 
in close hold. It is hoped that in most cases, the breach, those victimized, and a solution 
are presented to help minimize the damage. In either case, potential and actual victims 
are at the mercy of the agency for information because there is no reciprocity in regards 
to personal data access. Only the agencies and its employees have access to an 
individual’s collected personal data. Outcomes such as these arising from unsecured 
personal data on USG systems which lack full transparency are no longer acceptable to 
the American public. 

First, resources and focus must be put into education. Educating the personnel 
who will operate current and future IdM architectures within an overarching Federal IdM 
Enterprise must be a priority. Academic institutions like West Virginia University and 
the Naval Postgraduate School have seen this requirement and have implemented courses 
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of instruction towards that end. West Virginia University has targeted undergraduate and 
graduate courses in biometrics, identity management, and computer security. The Naval 
Postgraduate School recently established a federal certification in Identity Management 
tailored purposely for military and civil service professionals in the biometrics and IdM 
fields. If federal and state governments make it known that these particular fields are of 
great concern, public and private educational institutions will invest the resources to 
create applicable course and degrees. 

Secondly, all agencies and departments of the federal government must 
acknowledge that a new field of IdM professionals is vitally required. Within the DoD, 
the Services need to definitively delineate IdM and biometrics positions or billets from 
their information technology specialists. For instance, the U.S. Navy’s information 
technology specialists come from the Information Professional (IP) Community. IP’s can 
be detailed to a range of billets with specialties that include information assurance, 
knowledge management, or communications. There is, however, no recognition for the 
need to designate or create billets that focus on identity management or biometrics. The 
Navy and her sister Services need to acknowledge this major oversight, and then work 
the manning documents to correct. This process and mentality needs to permeate the 
USG as a whole. 

The public is only minimally aware of the impact and influence that IdM and 
biometrics is going to play in their future daily lives. As thoughtful and logical 
discussions begin to take place outside the Beltway of Washington, DC, Americans will 
be exposed to the benefits and detractors of a Federal IdM Enterprise. National, state, 
and local leaders themselves need to grasp the basic concepts so that they can lead these 
necessary discussions. The train bringing nationalized IdM and biometrics in some form 
or fashion has already left the station. Now is the time for the American public to decide 
what kind of Federal IdM Enterprise they will accept, and their government to implement 
it. 
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APPENDIX A — NSTC STRUCTURE 
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APPENDIX B — NSTC BIOMETRICS GLOSSARY & ACRONYMS 



Version 1.0 


Biometrics Glossary (BG) 


A 

American Nalional a private, non-profit organization that administers and coordinates the U.S. 

Sta nda rd s I nstitute (ANSI) voi u nta ry sta nda rdizatb n a nd co nformity a sse ss me nt system. Them iss i or of 

ANSI is to enhance both the global competitiveness of U.S. business and the U.S. 
quaitty of life by promoting and facilitating voluntary consensus standards and 
conformity assessment systems, and safeguarding their integrity. 

Nathnsf Sc^erjoe & T^chnofogy Council (NSTC), September 06 

httpJA^ww. biometrics.aov/Documents/ohccarv. pdf 

A nalyze Co n s/e rts da ta to a ction a bl e i nfo rmatio n a n d recommendatio n s a s a pp! ica b le to 

increase situation a i avwareness and better understand possible courses of action. 

Derived from Capsfo/je Concept of Operations for DoD Biometics in Support of 
Identity Superiority, November 2006 


Arch A fingerprint pattern in which the friction ridges enter from one side, make a rise in 

the center, and exit on the opposite side. The pattern wiil contain no true delta 
point. 

Naifonaf Science Si Technology Council (NSTC), 14 September OS 
htto:/A/Vww. biometrics. aov/Documents/alossarv. odf 

Associated Information Non-bio metric information about a person, For exam pie, a person's name, 

personal habits, age, current and past addresses, current and past emptoyers, 
teiephone number, email address, place of birth, family names, nationality, 
education level, group affiliations, and history, including such characteristics as 
nationality, educational achievements, employer, security clearances, financial 
and credit history. 

Capstone Concept of Operations for DoD B/ome tecs in Support of identity 
Superiority, November 200S 


Attempt The submission of a single set of biometric samples to a biometric system for 

identification or verification. Some biometric systems permit more than one 
attempt to identify or verify an individual. 

Nathnat Science S Technology Council (NSTC), 14 September 06 

mpj/'ivww, 

Authoritative Source jhe primary DoD-approved repository of biometric information on a biometric 

subject. The authoritative source provides a strategic capability for access to 
standardized, comprehensive, and current biometric files within the DoD and for 
the sharing of biometric files with Joint, Interagency, and designated Multinational 
partners. The DoD may designate authoritative sources for various populations 
consistent with applicable law, policy and directives. 

Derived from Capstone Concept of Operations for DoD Biometrics in Support of 
identity Superiority, November 2006 
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Biometrics Glossary (BG) 


Feb 1. 2006 


Auto-correlation 


Automated Biometric 
Identification System (ABIS) 


Automated Fingerprint 
Identification System (APIS) 


Automated Identification 
Management System (AIMS) 


A proprietary finger scarining technique. Two identical finger images are overlaid 
in the auto-correlation process, so that light and dark areas, known as Moire 
fringes, are created. 

fnternationat Association for Biometrics (iAfB) and fnternationat Computer 
Security Association (ICSA), 1999 Glossary of Biometric Terms 

h rio./Av iv w.afb. ora, uk/docs/ofoss an/, him 

Department of Defense (DoD) system implemented to improve the U.S. 
government’s ability to track and identify national security threats. 

Natbnat Science St Technology CoL/nc//fA/STQ), 14 September 06 
http;/Avww. biometrics.gov/Documents/glossarv. odf 

A highly specialized biometric system that compares a submitted fingerprint 
record (usually of multiple fingers) to a database of records, to determine the 
identity of an individual. APIS is predominantly used for I aw enforcement, but is 
also being used for civil applications (e.g. background checks for soccer coaches, 
etc). 

Natfonat Science S Technofogy Councif (NSTC), 14 September 06 
http-./^A/ww. biometrics. aov/Documents/afossarv. pdf 

A system that acts as a central wefchbased informational portal between U.S. 
Central Command (USCENTCOM), National Ground Intelligence Center (NGIC), 
and the Biometrics Fusion Center (BFC) that is designed to fuse intelligence 
analysis and value added comments from field users of matched biometric and 
biographic data. 

USCENTCOM Biometric identification System for Access (B!SA) CONORS 
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Biometrics Glossary (BG) 


Feb 1. 200B 




Behavioral Biometric 
Characteristic 


Bifurcation 


Biographic Data 


B 

A biometric chanacteristic that is learned and acquired over time rather than one 
based primarily on biology. All biometric characteristics depend somewhat upon 
both behavioral and biological characteristic. Examples of biometric modalities for 
which behavioral characteristics may dominate include signature recognition and 
keystroke dynamics. 

Nathnsf Sorer?ce & T^chnofogy Council (NSTC), September 06 
httpJAmvw, biometrics.aov/Documents/ohccarv. pdf 

The point in a fingerprint where a friction ridge divides or splits to form two ridges. 

National Science & Technology Council (NSTC), 14 September 06 
littp:/Avww. biometrics, aov/Documents/alocsary, pdf 

Data that describes physical and non-physical attributes cfa biometric subject 
from whom biometric sample data has been collected. For example, full name, 
age, height, weight, address, employers, telephone number, email address, 
birthplace, nationality, education level, group affiliations, also data such as 
employer, security clearances financial and credit history. 

Derived from USCENTCQM Biometric identification System for Access (BISA) 
CONORS 


Biological Biometric 
Characteristic 


Biometrically Enabled 
Intelligence 


A biometric characteristic based primarily on an anatomical or physiological 
characteristic, rather than a learned behavior All biometric characteristics depend 
somewhat upon both behavioral and biological characteristics. Examples of 
biometric modalities for which biological characteristics may dominate include 
fingerprint and hand geometry. 

National Science & Technology Council (NSTC), 14 September 06 
httD:/Avww. biometrics. aov/Documents/alossarv. pdf 

Intelligence information associated with biometrics data e.g. pattern analysis of a 
biometric subject's encounters with biometrics systems, judgments about a 
biometric subject disposition or intent based on biometric matches with forensic 
data, etc. 

Derived from DoD D B52LAAE DoD BIOMETRICS PROGRAM 


Biometrically Enabled The process of granting access to installations and facilities through the use of 

Physical Access biometrics. 

Derived from Capstone Concept of Operations for DoD Biometrics in Support of 
Identity Superiority, November 2006 
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Biometrics Glossary (BG) 


Feb 1. 200B 


Biometrically Enabled 
Watehlist (BEWL) 

Any list of person of interests (POI), with individuals identified by biometric sample 
instead of by name, and the desired/reconnmended disposition instructions for 
each individual. However, there first must be an acceptable degree of certainty 
that there is some indication of past behavior attributable to the individual that 
belongs to the biometric sample in order to estimate the ievet of threat posed by 
that individual Even upon encounter or capture, we may never know an 
individuals' true identity, but that is immaterial as long as the linkage between the 
biometric sample and past threat behavior is established. No practicable 
standard currently exists for BEWLs, but the minimum content of a BEWL record 
is (1) a biometric identity (biometric sample linked to a POI), (2) a category of 
interest or threat commonly referred to as a tier, (3) the recommended action(s) to 
taken upon next encounter, and (4) notification instructions. The classification of 
the information within the BEWL can be up to TS/SCI/ORCON. In most 
instances the information will be releasable or at the UNCLASSIFIED//FOUO 
level to facilitate sharing. 

The DoD Biometrically-Enabled Watchlist (BEWL) A Federated Approach, May 3, 
2007 

Biometric Application 
Decision 

A conclusion based on the application decision policy after consideration of one 
or more comparison decisions, comparison scores and possibly other 
non-biometric data. 

JTC001-SC37-n-2263 Text of Standing Document 2(SD2) Version 8, Harmonized 
Biometric Vocabulary, November 2007 

Biometric Automated 
Toolset (BAT) 

A multimodal biometric system that collects and compares fingerprints, iris 
images and facial photos. It is used to enroll, identify and track persons of 
interest; build digital dossiers on the individuals that include interrogation reports, 
biographic information, relationships, etc. BAT has an internal biometric signature 
searching and matching capability. 

Capstone Concept of Operations for DoD Biometrics In Support of Identity 
Superiority, November 2006 

Biometric Capture Device 

A device that collects a signal from a biometric characteristic and converts it to a 
captured biometric sample. 

JTC001-SC37-n-2263 Text of Standing Document 2(SD2) Version 8, Harmonized 
Biometric Vocabulary, November 2007 

Biometric Capture Process 

A process of collecting or attempting to collect signals from a biometric 
characteristic and converting them to a captured biometric sample. 

JTC001-SC37-n-2263 Text of Standing Document 2(SD2) Version 8, Harmonized 
Biometric Vocabulary, November 2007 

Biometric Characteristic 

A biological and behavioral characteristic of a biometric subject that can be 
detected and from which distinguishing, repeatable biometric features can be 
extracted for the purpose of automated recognition of biometric subjects. 
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Biometric Claim 


Biometric Database 


Biometric Data Block 


Biometric Feature 


Biometric Feature 
Extraction Process 


Biometric File 


Biometric Identification 
Application 


Derived from JTC001-SC37-n-2263 Text of Standing Document 2(SD2) Version 
S, Harmonized Biometne Vocabulary, November 2007 


A claim that a biometric subject is or is not the source of a specified or 
unspecified biometric reference. 

JTC00l-SC37-n-22S3 Text of Standing Document 2(SD2) Version 3, Harmonized 
Biometric Vocabuiary, November 2007 


A collection of one or more computer files. For biometric systems, these files 
could consist of biometric sensor readings, templates, match results, related 
biometric subject information, etc 

Derived from Nationat Science Technology CounoH (NSTC), 14 September 06 
h ttoi/Avw L.!/. biom etrics. aov/Documen ts/aios sarv. odf 

A block of data with a defined for mat that contains one or more biometric samples 
or biometric templates. 

JTG00HSC37m-2263 Text of Standing Document 2(SD2) Version 3, Harmonized 
Biometric Vocabulary, November 2007 


Numbers or labels extracted from biometric samples and used for comparison. 

JTC001-SC37-n-2263 Text of Standing Document 2(SD2) Version 8, Harmonized 
Biometric Vocabulary, November 2007 


A process applied to a biometric sample with the intent of isolating and outputting 
repeatable and distinctive numbers or labels which can be compared to those 
extracted from the other biometric samples. 

JTC001-SC37-n-2263 Text of Standing Document 2(SD2) Version 8, Harmonized 
Biometric Vocabulary, November 2007 


The standardized individual data set resulting from a collection action (biometric 
sample and contextual data). 

Capstone Concept of Operations for DoD Biometrics In Support of Identity 
Superiority, November 2006 


A system which contains an open-set or closed-set identification application. 

JTC001-SC37-n-2263 Text of Standing Document 2(SD2) Version 8, Harmonized 
Biometric Vocabulary, November 2007 
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Biometric Ictentificatron 
System for Access (BISA) 

A biometric and contextual data collection and credential card production system. 
It is capable of multi-modal biometric oollection (fingerprintp iris, and facial 
recognition). The system collects biometric and biographical infonmatbn from 
visitors to U.S., Coalition, and allied installations worldwide, it produces biometric 
enabled identification cards compatible with the Common Access Card (CAC) 
readers. The identification cards (which are counterfeit deterrent, tamper proof 
and encrypted), use fingerprint images to conduct one-to-one identity verification. 
BISA collects, transmits, stores, retrieves, manipulates, and displays biometric 
and contextual data in accordance with national/international standards and 
industry best practices. 

Initial Capabilities Document (ICD) for Biometrics in Support of Personnel Identity 
(BSPI) (Draft), 30 Jun 07 

Biometric Intelligence 
Resource (BIR) 

A system that has been established to provide members of the DoDIIS 

Intelligence Community and theater warfighters with access to a reliable, 
centralized, and permanent repository of potential terrorist biometric information 
and associated intelligence information. The BIR system ingests biometric 
signatures and contextual data collected from Department of Defense biometric 
processing systems and makes this information available to members of the 
worldwide Intelligence Community through a web-based interface for the purpose 
of positive identification of individuals and tracking related intelligence. 

Derived from Biometric Intelligence Resource (BIR) Implementation: 2006-2007 
BIR Version 2 System Design Document (SDD) 20 June 2007 

Biometric Property 

The descriptive attributes of the biometric subject estimated or derived from the 
biometric sample by automated means. 

EXAMPLE Fingerprints can be classified by the biometric properties of 
ridge-flow, i.e. arch whorl and loop types. In the case of facial recognition, this 
could be estimates of age or gender. 

JTC001-SC37-n-2263 Text of Standing Document 2(SD2) Version 8, Harmonized 
Biometric Vocabulary, November 2007 

Biometric Reference 

One or more stored biometric samples, biometric templates or biometric models 
attributed to a biometric subject and used for comparison. 

EXAMPLE Face image on a passport; fingerprint minutia(e) template on a 
National ID card; Gaussian Mixture Model for speaker recognition, in a database. 

JTG001-SG37~n'2263 Text of Standing Document 2(SD2) Version 8, Harmonized 
Biometric Vocatuiary. November 2007 

Biometrics 

A general term used alternatively to describe a characteristic or a process. 

As a characteristic: A measurable biological (anatomical and physiological) and 
behavioral characteristic that can be used for automated recognition. 

As a process: Automated methods of recognizing a biometric subject based on 
measurable biological (anatomical and physiological) and behavioral 
characteristics. 

Natbnat Science & Technology Council (NSTC), 14 September 06 

h ttoi/Avw w.biom e tries. aov/Documen ts/alos sarv.cdf 
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Biometric Sample 

One of two components of a biometric file (biometric samples and contextual 
data). Data that represents a biometric characteristic of a biometric subject as 
captured by a biometric system, 

Lhrfv^d from Capsto/je Concept of Operations for DoD Biometrics in Support of 
Identity Superiority, November 2006 


Biometrio Sample Collectqr An individual trained in bioinetrics that is familiar with empioyment of biometrics in 



support of his or her organization, performing the biometric sampie(s)coliection. 

Biometfcs Task Force & Biometrics Data Team 

Biometrics Application 
Programming Interlace 
(BioAPIJ 

iDefines the application programming interface and service provider interface for a 
standard biometric technology interface. The BioAPi enabies biometric devices to 
be easily installed, integrated or swapped within the overall system architecture. 

Natlonat Science & Technology Council (NSTC), 14 September 06 

http:/Aymv.biomeiricsvov/Document$/alo$sarv.pdf 

Biometrics Enterprise 

All systems, interfaces and personnel that are utilized to establish identities of 
people through the use of biometric modalities. 

Biometrics Task Force Strategy Division 

Biometrics Program 

A comprehensive process incorporating the principles and practices of biometrics 
into an organization. 

DoD D 8521. AAE DoD BIOMETRICS PROGRAM 

Biometric Subject 

An individual for which biometric samples were collected and enrolled into a 
biometric database for the purpose of identification and/or verification. 

Biometrics Task Force & Biometrics Data Team 

Biometric System 

Multiple individual components (such as sensor, matching algorithm, and result 
display) that combine to make a fully operational system. A biometric system is an 
automated system capable of 

1. Capturing a biometric sample from a biometric subject. 

2. Extracting and processing the biometric data from that samiple. 

3. Storing the extracted information in a database. 

4. Comparing the biometric data with data contained in one or more references. 

5. Deciding how well they match and indicating whether or not an identification or 
verification of identity has been achieved. 

A biometric system may be a component of a larger system. 

Derived from National Science & Technology Council (NSTC), 14 September 06 

h tto'JAvw Li/. biom etrics. aov/Documen ts/alos sarv. odf 
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Biometric Template 


Blue Force 


Set of stored biometric features comparable directly to biometric features of a 
recognition biometric sample. 

JTCQQ1-SC37-n-2263 Text of Standing Dooument 2(SD2) Version 8, Harmonized 
Biometric Vocabufary, November 2007 


A population group of trusted individuals including, but not limited to, DoD 
personnel and family members, U.S. persons, trusted allies, and coalition 
members. 

DoD D 8521. AAE DoD BIOMETRICS PROGRAM 
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Challenge Response 

C 

A method used to confirnn the presence of an individual by eliciting direct 
responses from the individual. Responses can be either voluntary or involuntary. 
In a voluntary response, the individual will consciously react to something that the 
system presents. In an involuntary response, the individual body automatically 
responds to a stimulus. A challenge response can be used to protect the system 
against attacks. 

Derived from Naiionaf Science 5 Technoiogy Councii (NSTC), 14 September 06 

hnD:/Avww.biornems.oov/Docurnents/dlo$$arv 

Closed-set Identification 

A biometric task where an unidentified biometric subject is known to be in the 
database and the system attempts to determine his/her identity. Performance is 
measured by the frequency with which the biometric subject appears in the 
system's top rank (or top 5, 10, etc.). 

Derived from Neiionet Science & Technoiogy Couficii (NSTC), 14 September 06 

htto:/Mww. biometics.aov/Documents/ahcsarv. odf 

Collect 

Capture biometric and related contextual data from a biometric subject, with or 
without his knowledge. Create and transmit a standardized, high-quality biometric 
file consisting of a biometric sample and contextual data to a data source for 
matching. 

Derived from Capstone Concept of Operations for DoD Biometrics in Support of 
Identity Superiority, November 2006 

Common Access Card 
(CAC) 

The standards identification card for active duty personnel (to include the selected 
reserve), DoD civilian personnel, and eligible contractor personnel. It is the 
principal card used to enable physical access to buildings and controlled spaces 
and can be used to gain access to the department's computer networks and 
systems. The card, which accommodates an integrated circuit chip, also contains 
other relevant media such as magnetic strips and bar codes. 

DoD Deputy Secretary of Defense Memorandum, Smart Card Adoption and 
Implementation, 10 November 1999 

Common Biometric 
Exchange File Format 
(CBEFF) 

A standard that provides the ability for a system to identify, and interface with 
multiple biometric systems, and to exchange data between system components. 

Natbnat Science & Technology Council (NSTC), 14 September 06 

Common Biometric 
Exchange Formats 
Framework (CBEFF) 
specification 

Describes a set of data elements necessary to support biometric technologies in a 
common way These data can be placed in a single file used to exchange 
biometric information between different system components or between systems. 
The result promotes interoperability of biometric-based application programs and 
systems developed by different vendors by allowing biometric data interchange. 

Natbnat institute of Standards and Technology Interagency Report (NISTIR) 
6529-2001, Common Biometric Exchange File Format 3 January 2001 


Page 9 of 39 


77 












Version 1,0 


Biometrics Glossary (BG) 


Feb 1. 200B 


Comparison 


Comparison Decision 


Contextual Data 


Core Point 


Cumulative Match 
Characteristic (CMC) 


Process of comparing a biometric reference with a previousiy stored reference or 
references in order to rnake an identification or vehftcation decision. 

Nstbnat Science & Technoiogy Council (NSTC), 14 September 06 
h ttp'J/'Mv w. biom etrics . aov/Documen ts/alos ssrv.odl 

Determination of whether the recognition biometric sample(s) and biometric 
refers nee (s) have the same biometric source, based on a comparison score(s), a 
decision policy(ies), inciuding a th res ho id, and possibly other inputs. 

JTC001-SC37-n-2263 Text of Standing Document 2(SD2) Version 8, Harmonized 
Biometric Vocabulary, November 2007 


Elements of biographicai and situation a i infomnation (who, what when, where, 
how, why, etc.) that are associated with a coliection event and permanentiy 
recorded as an integral component of the biometric file. 

Capstone Concept of Operations for DoD Bionnetflcs in Support of identity 
Superiority, November 2006 


The ‘center(sy of a fingerprint. In a whorl pattern, the core point is found in the 
middle of the spiral/circles. In a loop pattern, the core point is found in the top 
region of the innermost loop. More technically, a core point is defined as the 
topmost point on the innermost upwardly curving friction ridgeline A fingerprint 
may have multiple cores or no cores. 

National Science S, Technology Council (NSTC), 14 September 06 
httoJ/'jvww.bfometrics.oov/DQcuments/alossarv. pdf 

A method of showing measured accuracy performance of a biometric system 
operating in the closed-set identification task. Templates are compared and 
ranked based on their similarity. The CMC shows how often the biometric subject 
template appears in the ranks (1,5, 10, 100, etc.), based on the match rate. A 
CMC compares the rank (i, 5,10,100, etc.) versus identification rate. 

National Science S Technology Council (NSTC), 14 September 06 
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Decide/Act 


Defense Biometrics 
Identification System 
(DBIDS) 


Degrees of Freedom 


Delta Point 


Detainee Reporting System 
(DRSJ 


Detection and Identification 
Rate 


D 

The response by the operational or business process owner [either automated or 
hunnan-in-the-loop) to the results of the match and/or analysis described in the 
DoD Biometric Process, as well as associated information relevant to the 
situation. 

Capstone Concept of Operations for DoD Biometrics in Support of Identity 
Superiority, November 2006 


A DoD owned and operated system developed by Defense Manpower Data 
Center (DMDC) as a force protection program to manage installation access 
control for military installations. It is a networked client/server database system 
designed to easily verify the access authorization of personnel and fingerprint 
biometric identification. The DBIDS software application is used to enter 
personnel and vehicle data into a database, capture biometric information, and 
retrieve that data and biometric information for verification and validation at a later 
time. 

Defense Biometric Identification System User Manual, May 24, 2006 


A statistical measure of how unique biometric data is. Technically, it is the number 
of statistically independent features (parameters) contained in biometric data, 

National Science S* Technology Council (NSTC), 14 September 06 
http:/Avww. biometrics. aov/Documents/cios 5 arv. odf 

The part of a fingerprint pattern that looks similar to the Greek letter delta. 
Technically, it is the point on a friction lidge at or nearest to the point of 
divergence of two type lines, and located at or directly in front of the point of 
divergence. 

Natbnat Science & Technology Councif (NSTC). 14 September 06 
htto:/Avww. biometrics.aov/Documents/plossarv. odf 

A System designed to support the processing of prisoner of wars (POWs) and 
detainees by issuing Identification Serial Mumbers (ISNs), collecting identifying 
information, recording medical histories, maintaining proper^ records, issuing 
transfer, release, death, and other orders providing dispositions to detainees, 
maintain a tribunal history, and track changes to detainee records and other 
general information relevant to the detainee. 

Derived from Detainee Reporting System courtesy of National Detainee Reporting 
Center, August06 


The rate at which biometric subjects, who are in a database, are properly 
identified in an open-set identification (watchlist) application. 

Derived from National Science & Technology Council (NSTC). 14 September 06 
http-./AyVww. biometrics. aov/Documents/afossarv. pdf 
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Detection Error Trade-ofF 
(DET) Curve 


Difference Score 


Duplicate Enrollment Check 


A graphical plot of measured error rates. DET curves typically plot matching error 
rates (false non-match rate vs false match rate) or decision error rates (false 
reject rate vs. false accept rate). 

Nsthnat Science & Technology Council (NSTC), 14 September 06 
htto:/Aviv w. biometrics. aov/Documents/afossarv. odf 

A value returned by a biometric algorithm that indicates the degree of difference 
between a biometric sample and a reference. 

Nathnaf Science cS Technology Council (NSTC), 14 September OS 
http'./Avww. biometrics. aov/Docu me nts/alos 5 arv. odf 

The comparison of a recognition biometric sa m pi e/bio m etricfeat une/bio metric 
model to some or all of the biometric references in the enrollment database to 
determine if any similar biometric reference exists. 

JTC001-SC37-n-22S3 leYt of Standing Document 2{SD2) Version 8. Harmonized 
Biometric Vocabulary, November 2007 
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Electronic Biometric 
Transmission Specification 
(EBTS} 


Electronic Fingerprint 
Transmission Specification 
(EFTS) 


En roll 


En rollment 


Expanded Maritime 
Interdiction Operation 
(EMIO) 


E 

Describes customizatb ns of the Federal Bureau of Investigation (FBI) Electronic 
Fingerprint Iransmission Specification (EFTS) transactions that are necessary to 
utilise the Department of Defense (DoD) Auton^^ated Biometric identification 
System (ABtS). Any DoD entity that wishes to interface with the DoD ABIS must 
conform to the DoD EBTS. 

Etecironic Biomeiric Transm/ssran Specification 

23 August 2005 Version 1.1 DiN: DOD_BMO_TS_EBTS_Aug05_01.0l 


A document that specifies requirements to which agencies must adhere to 
communicate electronically with the Federal Bureau of Investigation (FBI) 
Integrated Automated Fingerprint Identification System (lAFlS). This specification 
facilitates information sharing and eliminates the delays associated with 
fingerprint cards. 

Nationaf Science <£ Technofogy Councif (NSTC), September 06 

httoi/A^ww. biometrics.oov/Documents/aiossarv. pdf 

Create and store, for a biometric subject, an enrollment data record that includes 
biometric reference(s) and typically, non-biometric data. 

Derived from JTC001 -SC37-n-2263 Text of Standing Document 2(SD2) Version 
8, Harmonized Biometric Vocabufary November 2W7 


The process of collecting a biometric sample from a biometric subject, converting 
it into a biometric reference, and storing it in the biometric system's database for 
later comparison. 

Derived from Nationat Science & Technology Council (NSTC), 14 September 06 
httD'./Avww.biometrics.oov/iDocumants/aiossarv. ndf 

A key maritime component needed to support the global war on terrorism by 
deterring, delaying, and disrupting the movement of terroiiists and terrorist-related 
materials and personnel at sea. U.S. Navy ships operating in the Central 
Command's (CENTCOM) Area of Responsibility (AOR) have the capability to 
collect and forward bbmetric data from potential terrorists for searching against 
databases. 

Derived from Biometrics Task Force And Navy Team for Success January 2007 
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Face Recognition 


Failure to Acquire (FTAl 


Failure to Acquire Rate 


Failure to Enroll (FTE) 


Failure to Enroll Rate 


False Acceptance 


False Acceptance Rate 
(FAR) 


F 

A biometric modality that uses an image of the visible physical structure of a 
biometric subject's face for recognition purposes. 

Deri'/ed from National Scfonce & Technology Coundi (NSTC), 14 September 06 
h tto'./Avw w. biom etrics . aov/Documen ts/a!as sarv. odf 

Failure of a biometric system to capture and/or extract usable information from a 
biometric sample. 

National Science & Technoiogy Council (NSTC), 14 September 06 
h no:/Avw ii/. biom eirics,. aov/Documen ts/o/os sarv. odf 

The frequency of a failure to acquire. 

National Information Assurance Partnership, US Government Biometrt 
Verification Mode Protection Profile for Medium Robustness Environments v1.Q, 
15 November 2003, Sponsored by the DoD Biometrics Management Office 
(BMQ) and the National Security Agency (NSA) 


Failure of a biometric system to form a proper enrollment reference for a biometric 
subject. Common failures include biometric subjects who are not properly trained 
to provide their biometrics, the sensor not capturing information correctly, or 
captured sensor data of insufficient quality to develop a template, 

Derived from National Science & Technology Council (NSTC), 14 September 06 

The probability that a biometric system will have a failure^to-enroll. 

National Information Assurance Partnership, US Govern men/ Biometric 
\/eri/)fcat/on Mode Protection Profile for Medium Robustness Environments vl.O, 

15 November 2003, Sponsored by the DoD Biometrics Management Office 
(BMO) and the National Security Agency (NSA) 


When a biometric system incorrectly identifies a biometric subject or incorrectly 
authenticates an imposter against a claimed identity. 

Derived from National Information Assurance Partnership, US Government 
Biometric Verification Mode Protection Profile for Medium Robustness 
Environments vl.O, 15 November 2003, Sponsored by the DoD Biometrics 
Management Office (BMO) and the National Security Agency (NSA) 


A statistic used to measure biometric performance when operating in the 
verification task. The percentage of times a system produces a false acceptance, 
which occurs when a biometric subject is incorrectly matched to another biometric 
subject’s existing biometric. Example: Frank claims to be John and the system 
verifies the claim. 

Derived from National Science & Technology Council (NSTC), 14 September 06 
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False Alarm Rate 

A statistic used to measure biometric perfomnarce when operating in the open-set 
identification (sometimes referred to as watch list) task. This is the percentage of 
tinges an alarm is incorrectly sounded on a biometric subject who is not in the 
biometric system’s database (the system alarms on Frank when Frank isn’t in the 
database), or an alarm is sounded but the wrong biometric subject is identified 
(the system alarms on John when John is in the database, but the system thinks 
John Is Steve). 

Derived from National Science 5 Technoiogy Comdi (NSTC}, 14 September 06 

hUb;//^A^'iVW,biQm^tric^.Q9v/Docum^^^^ pdf 

False Match 

The comparison decision of 'match' for a recognition biometric sample and a 
biometric reference that are not from the same source. 

JTC00l-SC37-n-2263 Text of Standing Document 2(SD2) Version 8, Harmonized 
Bfometric Vocabulary, November 2007 

False Match Rate (FMR) 

A statistic used to measure biometric performance. Similar to the False 
Acceptance Rate (FAR). 

Derived from National Science <3, Tecnno/ogy Council (NSTCJ, 14 September 06 

http:/A^ww. biometrics.aov/Documents/ohscarv. pdf 

False Non-Match 

A comparison decision of'no-match' fora recognition biometric sample and a 
biometric reference that are from the same source 

JTC00l-SC37-n-22S3 Text of Standing Document 2(SD2) Version 8, Harmon/zed 
Bfometric Vocabulary, November 2007 

False Non-Match Rate 
fFNMR) 

A statistic used to measure biometric performance. Similar to the False Reject 

Rate (FRR), except the FRR includes the Failure To Acquire enor rate and the 
False Non-Match Rate dees not. 

National Science & Technoiogy Council (NSTC), 14 September 06 
h ttoVAvw Li/. biom etrics. aov/Documents/aios sarv. odf 

False Rejection 

The failure of a biometfic system to identify a biometric subject or to verify the 
legitimate claimed identity of a biometric subject. 

Derived from National Information Assurance Partnership, US Government 
Biometric Verification Mode Protection Profile for Medium Robustness 
Environments vl.O, 15 November 2003, Sponsored by the DoD Biometrics 
Management Office (BMO) and the National Security Agency (NSA) 

False Rejection Rate (FRR) 

A statistic used to measure biometric performance when operating in the 
verification task. The percentage of times the system produces a false rejection. A 
false rejection occurs when a biometric subject is not matched to his/her own 
existing biometric template. Example: John claims to be John, but the system 
incorrectly denies the claim. 
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Features 


Fingerprint 


Fingerprint Recognition 


Fingerprint Scanning 


Fingerprint Vendor 
Technology Evaluation 
(2003) (FpVTE) 


Force Protection (FP) 


Derived from National Science St Technology Council (NSTC), M September OS 

http:/fyYww,blQmQtriQ^,gQv/DQoum^nt^/g^^^ 

Distinctive mathematica i characteristic(s) derived from a biometric sampie; used 
to generate a reference, 

National Science & Technology Council (NSTC), 14 September 06 
htto:/Avww.biometrics,aov/Document$/alo$sarv.ocff 

The image left by the minute ridges and valleys found on the hand of every 
person. In the fingers and thumbs, these ridges form patterns of loops, whorls and 
arches. 

Federal Bureau of Investigation (FBI) webs/^e, Taking Legible Fingerprints 
h ffp:/Avw w. fbi. Qov/hq/ciisd/taNnQfps. htmi 

A biometric modality that uses the physical structure of an biometric subject's 
fingerprint for recognition purposes. Important features used in most fingerprint 
recognition systems are minutia(e) points that include bifurcations and ridge 
endings. 

Derived from Nationai Science & Technology Council ^AfSTC^, 14 September 06 
htto:/A/Vww. biometrics. aov/Documents/a loss ary, pdf 

Acquisition and recognition of a biometric subject's fingerprint characteristics for 
identification purposes. This process allows the recognition of a biometric subject 
through quantifiable physiological characteristics that detail the unique identity of 
an individual. 

Derived from The Intel Co'poraiion website, Biometric User Authenficafhn: 
Fingerprint Sensor Product Guideiines . Version 1.03, September 2003 

h tto:/Avw w.in tel. conVdes ian/mob iie/o la t form/down foads/FinaerorIntSen sorProduct 

Guidelines.p df 


An independently administered technology evaluation of commercial fingerprint 
matching algorithms. 

Natbnai Science & Technology Council (NSTC), 14 September 06 
h tto:/Avw 11 /. biom etrics. aov/Documen ts/alos sarv. odf 

Preventive measures taken to mitigate hostile actions against Department of 
iDefense personnel {to include family members), resources, facilities, and critical 
information by using biometrics to positively link identity information to a given 
physical individual. Force protection does not include actions to defeat the enemy 
or protect against accidents, weather, or disease, Also called FP. 

Derived from Joint Publication Joint Operations,, 17 September 2006 
h tto:/Avw IV. dtic. mif/doc trineAel/n ew oubs/ioS 0. odf 
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Foreign Humanitarfan 
Assistance (FHA) 


Forensic 


Friction Ridge 


Friendly 


Full Enrollment 


Programs conducted to relieve or reduce the results of natural or manmade 
disasters or other endemic conditions such as human pain, disease, hunger, or 
privation that might present a serious threat to life or that can result in great 
damage to or loss of property. Foreign humanitarian assistance (FHA) provided 
by US forces is limited in scope and duration. The foreign assistance provided is 
designed to supplement or complement the efforts of the host nation civil 
authorities or agencies that may have the primary responsibility for providing 
FHA. FHA operations are those conducted outside the United States, its 
territories, and possessions. Also called FHA Biometrics can be used as an 
enabler for personal identification for humanitarian assistance distribution. 

Deri'/ed from Joint Publication 3-0, Joint Operations, 17 September 2006 
h tto:/Avw dtic. mil/doc trine/iel/n ew Dubs/io3 0. odf 

Relates to the use of science or technology in the investigation a nd establishment 
of facts or evidence. Collected biometric samples could then be linked to 
non-biometric forensic evidence. 

Derived from Capstone Concept of Operations for DoD Biometrics in Support of 
identity Superiority, November 2006 


The ridges present on the skin of the fingers and toes, and on the palms and 
soles of the feet, which make contact with an incident surface under normal 
touch. On the fingers, the distinctive patterns formed by the friction ridges that 
make up the fingerprints. 

Nathnat Science & Technoiogy CoL/nc//{7VSTQ), 14 September 06 
/ 7 ttp 'Mv w w, bio m g fe , go v /Doctf mgnfg/d/ds gar y , pdf 

Trusted individuals, DoD personnel and family members, US Persons, trusted 
Allies, Coalition, etc, 

Capstone Concept of Operations for DoD Biome¥tcs in Support of identity 
Superiority, November 2006 


Enrollment of biometric data on a subject that includes 14 fingerprint images (4 
slaps, 10 rolls), 5 face photos, 2 irises, and required text fields. The sample must 
be EBTS compliant. Typically used for detainees, locally hire screenings, and 
other applications. 

initiei Capabiiities Document (iCD) for Biometrics in Support of Personnel identity 
(BSPI) (Draft), 30 Jun 07 
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Gait 


Gallery 


Gray Force 


G 

A biometiic subject's manner of walking. This behavioral characteristic is in the 
research and development stage of automation. 

Derived from National Science & Technology Coundi (NSTC), 14 September 06 
h tto:/Avw w. biom etrics . aov/Documen ts/afas sarv. odf 

The biometric system’s database, or set of known biometric subjects, for a 
specific implementation or evaluation experiment. 

Derived from National Science 5 Technofogy Coundi (NSTC). 14 September 06 
h ttp-./Avw L.i/. biom etrics. aov/Documen ts/afos sarv. odf 

A general term used to describe civilian personnel. However, the term may also 
be applied to defined individuals for whom no identity has been positively 
established. It may include those individuals that have not been positively 
identified as being either hostile (Red) or friendly (Blue) In general use, it has 
become a term similar to "Boggy", which is used by aviation personnel to indicate 
that they have acquired contact (visual or radar) with another aircraft but have not 
identified it as being friendly or hostile ("Bandit’). A population group of unknown 
individuals including, but not limited to, nonaligned persons, host country and 
third-country nationals, and non-U.S. citizens. 

fnftiaf Capabifities Document (fCO) for Biometrics in Support of Personnel Identity 
(BSPI) ({Draft), 30 Jun 07 
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Hamming Distance (HD) 


Hand Geometry 
Recogitition 


Hand Scan 


H 

The number of non-corresponding digits in a string of binary digits; used to 
measure dissimilarity. Hamming distances are used in many Daugman iris 
reco gn itio n algo rith ms. 

Nathnstf Science & Technology Council (NSTC), 14 September 06 
hitoJAA^ww. biometrics.Qov/Cocumentc/Qlossery. odf 

A biometric modaiity that uses the physicai stnjcture of a biometric subject's hand 
for recognition purposes. 

Derived from Neilonet Science & Technology Council (NSTC), 14 September 06 
htto:/A^vww. biometrics.aov/Documentc/alocsary. pdf 

Print from the outer side of the palm. 

Initial Capabiiities Document (ICD) forBiometics in Support of Personnel identity 
(BSPl) (Draft), SOJunOT 
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Identification 

The ene-to-rnaoy (t;N) process of comparing a submitted biometric sannple 
against all of the biometric reference templates on file to determine whether it 
matches any of the templates and, if so, the known identity of the biometric 
subject whose template was matched. 

Capstone Concept of Operations for iOoD Biometrics in Supperf of identity 
Superiority, November 2006 

Identification Rate 

The rate at which a biometric subject in a database is correctly identified. 

Derived from Nationat Science & Technology Councii (NSTC), 14 September 06 

Identifier 

A unique data string used as a key in the biometric system to name a biometne 
subject's identity and its associated attributes, An example of an identifier would 
be a passport number 

Derived from Nationat information Assurance Partnership, US Government 
Biometric Verification Mode Protection Profiie for Medium Robustness 
Environments vl.O, 15 November 2003, Sponsored by the DoD Biometrics 
Management Office (BMO) and the Nationai Security Agency (NSA) 

Identity 

The set of attribute values (i.e. characteristics) by which a biometric subject is 
recognizable and that, within the scope of an identity manager’s responsibility, is 
sufficient to distinguish that biometric subject from any other biometric subject and 
to distinguish the identity from any other identity. 

Derived from Capstone Concept of Operations for DoD Biometrics in Support of 
Identity Superiority, November 2006 

Identity Assurance 

Operations that protect and defend identity information and management by 
ensuring their availability, integrity, authentication, confidentiality, intended use 
(privacy), and non-repudiation. 

DoD Biometrics Strategy Working Group 

Identity Claim 

A statement that a biometric subject is or is not the source of a reference in a 
database. Claims can be positive (1 am in the database), negative (1 am not in the 
database), or specific (1 am end user 123 in the database). 

Derived from NSTC Sub committee on Biometrics lAW INCITS/M1 and ISO/IEC 
JiYC 2 SC37standards bodies, Aug 2006. 

Identity Dominance 

The operational capability to achieve an advantage over an adversary by denying 
him the ability to mask his identity, or counter our biometric technologies and 
processes. This is accomplished through the use of enabling technologies and 
processes to establish the identity of a biometric subject and to establish a 
knowledge base for that identity. 
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Identity Governance 


Identity IVIanagement 


Identity Protection 


Identity Protection and 
Management Senior 
Coordinating Group 
(IPMSCG) 


Identity Superiority 


Integrated Automated 
Fingerprint Identification 
System (lAFIS) 


Derived from Capstone Concept of Operations for DoD B^metrics in S^jpporf of 
identity Superiority, November 2006 


The combination of policies and actions taken to ensure enterprise-wide 
consistency, privacy protection and appropriate interoperability betAeen individual 
identity management systems. 

Nathnat Science Technology Council (NSTC), 14 September 06 
htto:/Avww. biometrics. aov/Documents/alossarv. odf 

A business function that authenticates an individual to validate identity, DoD 
affiliation, and authorization of the credential holder. The centralized data 
repository delivers credentialing information and status for business functions 
within DoD for use as proof of identity and DoD affiliation is delivered by Identity 
Mianagement. 

Capsfoee Concept of Operations for DoD Biometrics in Support of Identity 
Superiority, November 2006 


The process of safeguarding and ensuring the identities of individuals, devices, 
applications, and services are not compromised. 

Capstone Concept of Operations for DoD Biometrics in Support of Identity 
Superiority, November 2006 


A DoD-level group that provides the enterprise coordinating framework for identity 
protection and management elements and activities for individuals, devices, 
applications, and services and oversee the integration of DoD-wide policy, 
capabilities and strategy for managing physical and virtual identities. 

DoD D 8521. AAE DoD BIOMETRICS PROGRAM 


The management, protection and dominance of identity information for friendly, 
neutral or unknown, and adversary subject through the application of military 
operations and business functions. 

Capstone Concept of Operations for DoD Biometrics in Support of Identity 
Superiority, November 2006 


The FBI's large-scale ten fingerprint (open-set) identtfiication system that is used 
for criminal history background checks and identification of latent prints 
discovered at crime scenes. This system provides automated and latent search 
capabilities, electronic image storage, and electronic exchange of fingerprints and 
responses. 

National Science & Technology Council (NSTC), 14 September 06 
hnp'JAvww. biometrics.ocv/Documents/alossarv. pdf 
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Intermediate Biometric 
Sample Processing 


International Committee for 
Information Technology 
Standards (INCITS) 


Interoperability 


Iris Code© 


Iris Recognition 


Any rmanipuNation of a biometric sample that does not produce biometric features. 
Example: I ntermediate biometric samples may have been enhanced for 
biometric feature extraction 

jTC001-S037-n-22G3 Text of Standing Document 2(SD2) Version 8, Harmonized 
Biometric Vocabuiaty, November 2007 


Organization that promotes the effective use of information and communication 
technology through standardization in a way that balances the interests of all 
stakeholders and increases the glo bal competitiveness of the member 
organizations. 

National Science & Technology Council (NSTC), 14 September 06 

hnf?;/Mww, 

The conditions achieved among oommunications-electronic (CE) equipment 
systems or items of CE equipment when information or services can be 
exchanged directly and satisfactorily between them and their users. 

Joint Publication 6-0. Joint Communication Systems, 20 March 2006 
h ttp./Avww.dtic.mif/doctrine/iel/new Dubs/iD6 O.odf 

A biometric feature format used in the Daugman iris recognition system. 

National Science & Technology Council (NSTC), 14 September 06 
h ttoJAvw biometrics . oov/Documents/alos sarv. odf 

A biometric modality that uses an image of the physical structure of a biometric 
subject's iris for recognition purposes. The iris muscle is the colored portion of the 
eye surrounding the pupil. 

Derived from Nationat Science & Technology Council (NSTC), 14 September 06 
h tto'JAvw w. biometrics. aov/Documen fs/o/os sarv. odf 
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Keystroke Dynamics A biometric modality that uses the cadence of a biometric subject's typing pattern 

for recognition. 

Derived from Nationai Science & Technoiogy Council (NSTC), 14 September 06 
h tto:/Avw w. biometrics . aov/Documen ts/alos sarv. odf 
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Latent Fingerprint 

L 

A fingerprint “image' left ort a surface that was touched by a biometric subject. 
The transferred (mpression is ieft by the surface contact with the friction ridges, 
usually caused by the oily residues produced by the sweat glands in the finger. 

Derived from Nathnef Science S Technology Councii (NSTC), 14 September OB 

titto:/Avww. biometrics. aov/Documents/alossarv. odf 

Latent Sample 

A biometric residue that is dormant, inactive, or non-evident but can be captured, 
measured and stored, it may be difficult to see, but can be made visible to 
scrutiny. A residue left on a medium that came in contact with a biometric 
subject. 

Derived from Capstone Concept of Operations forDoD Bhmetics in Supped of 
Identity Superiority, November 2006 

Live Capture 

Typically refers to a fingerprint capture device that electronically captures 
fingerprint images using a sensor (rather than scanning ink-based fingerprint 
images on a card or lifting a latent fingerprint from a surface). 

Natbnaf Science Si Technology Councii (NSTC), 14 September OS 

htto:/A/Vww.biometrics.aov/Documents/alossarv. odf 

Live ness Detection 

A technique used to ensure that the biometric sample submitted is from a 
biometric subject. A live ness detection method can help protect the system 
against some types of spoofing attacks. 

Derived from National Science S TechmNogy Council (NSTC), 14 September OS 

hno:/A/Vww. biometrics.aov/Documents/alossarv. odf 

Live Scan 

Occurs when taking a fingerprint or palm print directly from a biometric subjects 
hand. 

Deri'ved from ANSIMST-iTL 1-2000, Data Forma ^ fer the Int^change of 
Fingerprint, FaciaL S Scar mark S Tattoo information 

httoJAAfww, iti,nist,QOV.fANSiASD/sD500-245-a 16,odf 

Locally Employed 
Personnel (LEP) 

A person employed by the Coalition and US military, not US citizens, 

USCENTCOM Biometric Identiffeat ion System for Access (BfSA) CONORS 

Local Trusted Source 

A sub-set of the Authoritative Source and is established to accomplish a specific 
function within an operational mission or business process. Reasons for 
establishing a local trusted source might include: insufficient network connectivity 
to provide immediate access to the authoritative source, an operational need for 
closed-loop access, permission application. 

Derived from Capstone Concept of Operations for DoD Biometrics in Support of 
Identity Superiority, November 2006 


Page 24 of 39 


92 














Version 1,0 


Biometrics Glossary (BG) 


Feb 1. 200B 


Local Un-Trusted Source 


Logical Access 


Loop 


A local repository of biometric files that that have not been enrolled with an 
authoritative or local trusted source. In many cases, local un-trusted sources are 
established for missions of short duration or to satisfy political policy, or legal 
restrictions related to the sharing of biometric information. 

Capstone Concept of Operations for DoD Biometrics in Support of identity 
Superiority, November 2006 


Process of granting access to information system resources to authorized users, 
programs, processes, or other systems. The controls and protection mechanisms 
that limit users' access to infomnation and restrict their forms of access to only 
what isapprophate. 

Capstone Concept of Operations for DoD Biometrics in Support of Identity 
Superiority, November 2006 


A fingerprint pattern in which the friction ridges enter from either side, curve 
sharply and pass out near the same side they entered. This pattern will contain 
one core and one delta. 

National Science & Technology Council (NSTC), 14 September 06 
http./A^vww. biometrics. aov/Docu men ts/aiossarv. pdf 
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The process of accurately iden-tifying or verifying the identity of a biometric subject 
by comparing a standardized biometric file to an existing source of standardized 
biometric data, and scoring the level of confidence of the match, Matching 
consists of either a one-to-one (verification) or one-to-many (identification) 
search. 

Derived from Capstone Concept of Operatior^s for DoD Biometrics in Support of 
Identity Superiority, November 2006 


The presentation of a live biometric measure in an attempt to fraudulently 
impersonate someone other than the submitter, 

/Vaf©/7a/ Science & Technofogy Council (NSTC), 14 September 06 

httpyAvmv, 

Minutia(e) Point The point vwhere a friction ridge begins, terminates, or splits into two or more 

ridges, Mirutia(e) are friction ridge characteristics that are used to individualize a 
fingerprint image. 

ANSt/NiST-iTL 1-2000, Data Format for the interchange of Fingerprint, Facial 6^ 
Scar mark & Tattoo Information 

m:/ A Y WW Jti ML QQvm.SiASD/i^^^ t Ml 

Modality A type or class of biometric systemi, For example: face recognition, fingerprint 

recognition, iris recognition, etc. 

Natbnat Science & Technoiogy Council (NSTC), 14 September 06 
h tto.7AvL.i^ I.!/, biom etrics. aov/Documents/afos sarv. odf 

Mod el A re prese ntatio n u se d to c ha racte rize a bi ometri c su bject. Beh a vi ora l-ba sed 

biometric systems, because of the inhenently dynamic characteristics, use models 
rather than static templates. 

Derived from National Science & Technoiogy Council (NSTC), 14 September 06 
htto:/Avww. biometrics. aov/Docu men ts/aioss ary, pdf 

Multimodal Biometric A biometric system in which two or more of the modality components (biometric 

System characteristic, sensor type or feature extraction algorithm) occurs in multiple. 

Capstone Concepf of Operations for DoD Biometrics in Support of Identity 
Superiority, November 2006 


Version 1,0 


Match 


Mimic 
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National Institute of 
Standards and Technology 
(NIST) 


National Security 
Telecommunications and 
Information Systems 
Security Committee 
(NSTISSP#11) 


Neutral or Unknown 


Non-DoD Partners 


Non-match 


N 

A non-regulatory federal agency within the U.S. Department of Commerce that 
develops and promotes measurement, standards, and technology to enhance 
productivity, facilitate trade, and improve the duality of life. NIST's nneasurennent 
and standards work promotes the well-being of the nation and helps improve, 
among many others things, the nation's homeland security. 

NathnsUnsfitute of Standards and Taohnology 
h ttp./Avw w. n is t. aov/puhtsc affairs/factsheef/homela nd. h im 


National security community policy governing the acquisition of information 
assurance (IA) and lA-enabled information technology products. 


The National information Assurance Partnership, Common Criteria Evaluation 
Validated Sc/ieme, infomnation Assurance Dictoraie FAQ V2.1, 6 January 2002 

h ttp:/A/VW Lv. n ian-ccevs. ora/cc-scheme/ns tis sp 11. pdf 

Nonaligned individuals, host-country and third-country national non-US citizens. 

Capstone Concepf of Operations for DoD Biometrics in Support of Identity 
Superiority, November 2006 


Interagency and Multinational partners 

Capstone Concept of Operations for DoD Biometrics in Support of Identity 
Superiority, November 2006 


A decision that the recognition biometric sample(s) and the biometric reference 
are not from the same source. 

JTC001-SC37-n-2263 Text of Standing Document 2(SD2) Version 8, Harmonized 
Biometric Vocabulary, November 2007 
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One-to-Many 


One-to-One 


Open-set Identification 


Operational Evaluation 


O 

A phrase used in the biometrics community to describe a system that compares 
one reference to many enroiied references to make a decision. The phrase 
typicaiiy refers to the identification or watch list tasks. 

Capstone Concept of Operations for DoD Biometrics in Support of identity 
Superiority, November 2006 


A phrase used in the biometrics community to describe a system that compares 
one reference to one enrolled reference to make a decision. The phrase typically 
refers to the verification task (though not ali verification tasks are truly 
one-to-one). The identification task can be accomplished by a series of 
one-to-one comparisons. 

Capstone Concept of Operations for DoD Biometrics in Support of Identity 
Superiority, November 2006 


Biometric task that more cioseiy foiiows operational biometric system conditions 
to 1) determine if a biometric subject is in a database and 2) find the record of the 
biometric subject in the database. This is sometimes referred to as the “watchlist" 
task to differentiate it from the more commonly referenced closed-set 
identification. 

Derived from National Science d Technofogy CouncH (NSTC), 14 September 06 
h tto'./Avw w. biom e tries . aov/Documen ts/aias sarv.odf 

One of the three types of performance evaluations. The primary goai of an 
operationai evaluation is to determine the workflow impact seen by the addition of 
a biometric system. 

National Science S Teebnoiogy Councf/{NSTCJ, 14 September 06 
htto'./Avww. biometrics. aov/Documents/aiossarv. odf 
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Palm Print Recognition 


Performance 


Personal Identification 
Number (PIN) 


Person Data Exchange 
Standard (POE5| 


Person of Interest 


Platen 


Probe 


P 

A biometric modality that uses the physical structure of a biometric subject's palm 
print for recognition purposes. 

Derived from National Science & Technology Coundl (NSTC), 14 September 06 
h tto:/Avw w. biom e tries . aov/Documen ts/afos sarv. odf 

A catch-all phrase for describing a measurement of the characteristics, such as 
accuracy or speed, of a biometric algorithm or system. 

Nationaf Science & Technofogy Council (NSTC), 14 September 06 
httD:/Avww. biometrics. aov/Documents/afossarv. odf 

A number used in conjunction with an access control system as a secondary 
credential by the user to ensure the holder of the access control card is the 
authorized user. 

Navai Facilities Engineering Service Center, Antiterrorism Team website, 
Giossery of Terms 


A specification of the U.S. government intelligence community that specifies XML 
tagging of person data, including biometric data. 


U.S. Government Person Data Exchange Standard (PDES) 


An individual for whom information needs or discovery objectives exist 

The DoD Biometricaify-Enabled \f\^tch(ist (BEWL) A Federated Approach, May 3, 
2007 


The surface on which a finger is placed during optical finger image capture. 

Internationat Association for Biometrics (iAfB) and internationat Computer 
Security Association (tCSA), 1999 Glossary of Biometnc Terms 

h ttp:/Avw w.afb.ora. uk/docs/aloss an/, htm 

The biometric sample that is submitted to the bbmetric system to compare 
against one or more references in the gallery. 

Natlonai Science & Technology Council (NSTC), 14 September 06 
h f fjtj.7Ai/L'i/ w. biometrics. aov/Documents/alos sarv. ndf 
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Receiver Operating 
Characteristics (ROC) 

R 

A method of showing measured accuracy performance of a biometric system, A 
verification ROC compares false acceptance rate vs. verification rate. An 
open-set identification (watch list) ROC compares false a [arm rates vs. detection 
and identification rate, 

Nationaf Science 3 Tec/jno/ogy Cot/nci/ {/\fSTCJ, 14 September 06 

httoJA/Vww. biometrics.aov/Documents/alossarv. odf 

Recognition 

A generic term used in the description of biometric systems (e,g, face recognition 
or iris recognition) relating to their fundamental function. The term 'recognition' 
does not inherently imply the verification, closed-set identification or open-set 
identification (watchlist), 

Natma! Science 3 Technology Council (NSTCl 14 September 06 

i?df 

Red Force 

Acoliectivetemnforenemyoropposingforces. Itcaninciudereguiarmilitary, 
naval, and airforces as well as irregular combatant forces, terrorists, guerillas, 
and any other enemy combatant. A population group of individuals including, but 
not limited too, known enemy combatants, known or suspected temorists, 
detainees, criminals, hostile foreign intelligence officers, and persons of interest 

DoD D 8521. AAE DoD BIOMETRICS PROGRAM 

Re-enrollment 

The process of establishing a new biometrics reference for a biometric subject 
already enrolled in the database. 

JTC001-SC37-N-2263 Text of Standing Document 2(SD2) Version 8, Harmonized 
Biometric Vocabulary, November 2007 

Reference (Function) 

The process of querying various repositories of associated information on 
individuals (Intelligence, Medical, Human Resources, Financial, Security, 
Education, Law Enforcement, etc) for analysis purposes. 

Capstone Concept of Operations for DoD Biometrics in Support of identity 
Superiority, November 2006 

Response Time 

The time used by a biometric system to return a decision on identification or 
verification of a biometric sample. 

Internationat Association for Biometrics (iAfB) and Internatlonat Computer 

Security Association (tCSAl 1999 Gbssary of Biomefnc Terms 

Ridge Ending 

A minutiae point at the ending of a friction ridge. 

Natlorjat Science & Technology Council (NSTC), 14 September 06 

h tto'./Avw w.biom etrics. aov/Documen ts/aios sarv.odf 
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Rolled Fingerprints 


An image that includes fingerprint data from nail to nail, obtained by "rolling" the 
finger across a sensor. 

Nationat Science & Technology Council (NSTC), 14 September 06 
h tto:/Avw biometrics . aov/Documents/alos sarv. odl 
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Scenario Evaluation 

S 

One of the three types of performance evaluations. The primary goai of a 
scenario evaiuation is to measure performance of a biometric system operating in 
a specific application. 

Nathnsit Science & Technology Council (NSTC), 14 September 06 

htto:/Avww. biometrics. aov/Documents/alossarv. odf 

Seg mentation 

The process of parsing the biometric signai of interest from the entire acquired 
data system. Forexampie, finding individuai finger images from a siap 
impression. 

National Science S, Technology Council (NSTC), 14 September 06 

Sensor 

Hardware found on a biometric device that converts biometric input into a digitai 
signal and conveys this information to the processing device. 

Nathnai So/ence & Technology CoL/nc//{jlVSTC| 14 September 06 
http:/A,vwiv. biometncs.gov/Documents/giossarv. odf 

Share 

Exchange standardized biometric files and match results among approved Army, 
DoD, Interagency, and Multinational partners in accordance with applicable law 
and policy 

Capstone Concept of Operations for DoD Biometrics in Support of Identity 
Superiority, November 2006 

Signature Dynamics 

A behavioral biometric modality that analyzes dynamic characteristics of a 
biometric subject's signature, such as shape of signature, speed of signing, pen 
pressure when signing, and pen-in-air movements, for recognition. 

Derived ^om National Science & Technology Council (NSTC), 14 September 06 

htto:/Avww. biometrics. aov/Documents/alossarv. odf 

Similarity Score 

A value returned by a biometric algorithm that indicates the degree of similarity or 
correlation between a biometric sample and a reference. 

Natbnat Science & Technology Council (NSTC), 14 September 06 

h tto./Avw w. biom etrics. aov/Documents/alos sarv. odf 

Slap Fingerprint 

Fingerprints taken by simultaneously pressing the four fingers of one hand onto a 
scanner or a fingerprint card. Slaps are known as four finger simultaneous plain 
impressions. 

Nathnat Science & Technology Council (NSTC), 14 September 06 
hiioJAvww, biometrics.Qov/Documents/Qlossarv, odf 

Source 

An approved database and infrastructure that stores biometrics files. 

Capstone Concept of Operations for DoD B/ome fries in Support of identity 
Superiority, November 2006 
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Speaker Recognition 


Speech Recognition 


Spoofing 


Store 


Su bmisston 


A biometric modality that uses a biometric subject's speech, a feature influenced 
by both the physical structure of a biometric subjects vocal tract and the 
behavioral characteristics of the biometric subject, for recognition purposes. 
Sometimes referred to as voice recognition.' 'Speaker Recognition' is not the 
same as 'Speech recognition' which recognizes the words beingsaidandisnota 
biometric technology. 

Deri'/ed from Nathnaf Science & Technoiogy Council (NSTC), 14 September 06 
htlo:/A\fww. biometrics.oov/Documents/ciossary. pdf 

A technology that enables amachineto recognize spoken words. Speech 
recognitionisnotabbmetrictechnology. 

National Science & Technology Council (NSTC), 14 Sepfembar06 
httDJA^/ww.biometncs.Qov/DQcuiTients/alossarv. adf 

The ability to fool a biometric sensor into recognizing an illegitimate biometric 
subject as a legitimate biometric subject (Verification) or into missing an 
identification of someone that is in the database. 

Derived from National Science & Technoiogy Council (NSTC), 14 September 06 
h w. bhm etrics. aov/Documen ts/alos sarv.odf 

The process of enrolling, maintaining, and updating biometric files to make 
available standardized, current biometric information on biometric subjects when 
and where required. Biometric files are either enrolled or updated before they are 
stored. 

Capstone Concept of Operaf/ons for DoD Biometrics in Support of Identity 
Superiority, November 2006 


The process whereby a subject provides a biometric sample to a biometric 
system. 

Nathnat Science S* Technoiogy Council (NSTC), 14 September 06 
http'JA/Vww. biometrics.oov/Documents/Qiossarv. odf 
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Tactical Enrollment 


Template 


Tethered Biometric System 


Threshold 


Throughput Rate 


True Acceptance Rate 


T 

Enrollment of biometric data on a subject that includes at least 2 fingerprints 
(indexes), 2 iris prints, and required text fields. The sampte must be EBTS 
compliant. Typically used when subject is not being detained, but a record of the 
encounter is required at an ICED site, raid, humanitanan assistance, etc. It is an 
identification leading to an enrollment of a subject utilizing biometric data that 
includes at least 1 fingerprint or 1 iris and capture identification number. Used 
when subject is being detained and full enrollment will be conducted at the 
detention facility or at a base access point, when a subject is applying for a job on 
a base and is escorted to the LEP screening site for full enrollment 

initial Capabliities Document (fCD) for diometncs in Support of Personnel identity 
(BSPi) (Draft), 30JunQ7 


A digital representation of a biometric subject's distinct characteristics, 
representing information extracted from a biometric sample. Templates are used 
during biometic authentication as the basis for comparison. 

Derived tom Nationat Science & Technoiogy Councii (NSTC), 14 September OB 
http:/Avww. biometrics, aov/Docu men ts/g loss ary, odf 

Use of biometric sensors between deployed personnel within a robust command 
and control architecture. 

Biometrics Fusion Center 


A user setting for biometic systems operating in the verification or open-set 
identification (watohlist) tasks. The acceptance or rejection of biometric data is 
dependent on the match score falling above or below the threshold. The threshold 
is adjustable so that the biometric system can be more or less stnct, depending 
0 n th e req u i re m ents of a ny given bio metric a ppl i cati on. 

Nathnat Science £* Technoiogy Council (NSTC), 14 September OB 
http'JA/Vww. biometrics.oov/Documents/aiossarv. odf 

The numiber of biometric transactions that a biometric system processes within a 
stated time interval. 

Nathnat Science & Technoiogy Councii (NSTC), 14 September OB 
h no:/Avw L.i/. biometrics. aov/Documents/aios sarv. odf 

A statistic used to measure biometric performance when operating in the 
verification task. The percentage of times a system (con-ectly) verifies a true claim 
of identity. For example, Frank claims to be Frank and the system verifies the 
claim. 

Nathnat Science & Technoiogy Councii (NSTC), 14 September 06 
http:/AMVw. biometrics. aov/Documents/alossarv. pdf 
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True Rejection Rate A statistic used to measure biometric performance when operating in the 

verification task. The percentage of times a system (con^ectfy) rejects a false 
ciaim of identity, For estampie, Frank ciaims to be John and the system rejects the 
ciaim. 

Natfonat & Technology Council (NSTC), T'? September 06 

hf to:/Avww. biometrics. aov/Documents/alossarv. odf 
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Urrtethered Biometric Co I lection, analysis and use of biometric sensors between deployed personnel 

System outside of a robust command and control architecture. 

Bfometrfcs Fushn Center 


Immigrant a continuum of security measures that begins overseas, at the Department of 
btams indicator State's visa issuing posts, and continues through arrival and departure from the 

Technology (US-VISIT) United States of America. Using biometrics, such as digital, imkless fingerscans 

and digital photographs, the identity of visitors requiring a visa is now matched at 
each step to ensure that the person crossing the U.S, border is the same person 
who received the visa. For visa-waiver travelers, the capture of bb metrics first 
occurs at the port of entry to the U.S. By checking the biometrics of a traveler 
against its databases, US-VISIT verifies whether the traveler has previously been 
determined inadmissible, is a known security risk (including having outstanding 
wants and warrants), or has previously overstayed the terms of a visa. These 
entry and exit procedures address the U.S. critical need for tighter security and 
ongoing commitment to facilitate travel for the millions of legitimate visitors 
welcomed each year to conduct business, learn, see family, or tour the country. 

/Vafbr?a/ Sctence & Technology Council (NSTC), 14 September 06 
htto./Avww. biometrics. aov/Docu men ts/alossarv. pdf 
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Valley 


Verification 


Verification Rate 


Vulnerability 


V 

The area of a fingerprint surrounding a friction ridge that does not make contact 
with an incident surface under normal touch; the area of the finger between two 
friction ridges. 

ANSUNCtTS 378-2004 

information technology - Finger Minutiae Format hr Data interchange 


The one-to-one process of matching a biometric subject's biometric sample 
against his stored biometric file. Also known as Authentication. 

Derived from Capstone Concept of Operations for DoD Biometrics in Support of 
identity Superiority, November 2006 


A statistic used to measure biometric performance when operating in the 
verification task. The rate at which legitimate biometric subjects are correctly 
verified. 

Derived from National Science & Technoiogy CouncU fTVSTC^, 14 September 06 
h ttp:/Avw biometrics. gov/Documen ts/gios sarv. pdf 

The potential for the function of a biometric system to be compromised by intent 
(fraudulent activity), design flaw (including usage error), accident, hardware 
failure, or external environmental condition. 

Natsonat Science & Technoiogy Council (NSTC), 14 September 06 
httoJAA/ww. biometrics. aov/Documents/aiossarv. odf 
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Watch list 


Wav&I&t Scalar Quantization 
(WSQ) Grayscale 
Fingerprint Image 
Compression Specmcation 
flAFIS-ICMI(l10 |V3]) 


Wliorl 


W 

A term sometimes referred to as open-set identification that describes one of the 
three tasks that biometric systems perform. Answers the questions: Is this person 
in the database? If so, who are they? The biometric system determines if the 
individuafs bionrvetric template matches a biometric template of someone on the 
watch list. The individual does not make an identity claim, and in some cases does 
not personally interact with the system whatsoever. 

National Science 5 Technology Council (NSTC), 14 September 06 
htto:/Avww.biomems.aov/Document$/<ilo$sarv.ndr 


Provides the definitions, requirements, and guidelines for specifying the FBI's 
WSQ compression algorithm. The document specifies the class of encoders 
required, decoder process, and coded representations for compressed image 
data. 

Criminal Justice Information Services (CJIS) Electronic Fingerprint Transmission 
Speclfioaiion lAFlS-doc-01078-7.1 

httD:/Avmv. fbi.aov/ha/cilsd/iaf!'s/efts 71/efts 7 l.udf 

A fingerprint pattern in which the ridges are circular or nearly circular. The pattern 
will contain 2 or more deltas. 

Nathnat Science & Technology Council (NSTC). 14 September 06 
httoJAvww. biometrics. aov/Documents/a loss ary, odf 
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# 

10 Print lUtetch or An absolute positive identificatior of a biometric subject by corresponding each of 

Identification his or her 10 fingerprints to those in a system of record. Usually performed by an 

AFiS system and verified by a human fingerprint examiner. 

Derived from Biometrics Tesk Force 

http:/Avww.biometrtcs.dod.mi}/HeferenceTutorfal$/BiometrlcsGlos$ar'/Aabfd/a7/De 

fault.aspx 
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ABIS 

Automated Biometric Identification System 

APIS 

Automated Fingerprint Identification System 

AIMS 

Automated Identification Management System 

ANSI 

American National Standards Institute 

AOR 

Area of Responsibility 

ASCII 

American Standard Code for Information Interchange 

BAT 

Biometric Automated Toolset 

BC 

Biometric Consortium 

BDT 

Biometric Data Team 

BFC 

Biometric Fusion Center 

BIAR 

Biometric Intelligence Analysis Report 

Bio API 

Biometric Application Programming Interface 

BIR 

Biometric Information Record 

BIR 

Biometric Intelligence Resource 

BISA 

Biometric Identification System for Access 

BMC 

Biometric Management Office 

BSWG 

Biometric Standards Working Group 

BTF 

Biometric Task Force 

CAC 

Common Access Card 

CBA 

Capabilities Based Assessment 

CBEFF 

Common Biometric Exchange File Format 

CBEFF 

Common Biometric Exchange Formats Framework 

CE 

Communications Equipment 

GENICOM 

Central Command 

CJIS 

Criminal Justice Information Services 

CMC 

Cumulative Match Characteristic 

CMR 

Cumulative Match Rate 

CONORS 

Concept of Operations 


Page 1 of 3 


108 






Feb1, 200 B 


Version 1.0 

Biometrics Glossary (BG) 

Acronyins 

DBEKS 

DoD Biometric Expert Knowledgebase System 

COIDS 

Defense Biometric Identification System 

DET 

Detection Error Trade off 

DMDC 

Defense Manpower Data Center 

DNA 

Deoxyribonucleic Acid 

DoD 

Department of Defense 

DPI 

Dots Per Inch 

DRS 

Detainee Reporting System 

EBTS 

Eiectronic Biometric Transmission Specification 

EFTS 

Eiectronic Fingerprint Transmission Specification 

EMIO 

Expanded Maritime Interdiction Operations (NAVY) 

FAR 

False Acceptance Rate 

FBI 

Federal Bureau of Investigation 

FHA 

Foreign Humanitarian Assistance 

FMR 

False Match Rate 

FNMR 

False Non Match Rate 

FOUO 

For Official Use Only 

FP 

Force Protection 

FpVTE 

Fingerprint Vendor Technology Evaluation 

FRR 

False Rejection Rate 

FRVT 

Face Recognition Vendor Test 

FTA 

Failure To Acquire 

FTE 

Failure To Enroll 

GMM 

Gaussian Mixture Model 

HD 

Hamming Distance 

HMM 

Hidden Markov Model 

I APIS 

Integrated Automated Fingerprint identification System 
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IBDD 

Integrated Biometric Data Dictionary 

IDS_MD 

Identity Dominance System - Maritime Domain 

fNCITS 

International Committee for Information Technology Standards 

ISO 

International Organization for Standardization 

JPEG 

Joint Photographic Experts Group 

JTC 

Joint Technical Committee 

LDM 

Logical Data Model 

LEP 

Locally Employed Personnel 

NGIC 

National Ground Intelligence Center 

NIST 

National Institute of Standards and Technology 

NSTC 

National Science and Technology Council 

ORCON 

Dessemination & Extraction of Information Controlled by Originator 

POI 

Person(s) of Interest 

PPI 

Pixels Per Inch 

RAPID 

Real-time Automated Personnel Identification System 

RFS 

Ready For Staffing 

ROC 

Receiver Operating Characteristics 

SCI 

Sensitive Compartmented Information 

SME 

Subject Matter Expert 

SWGFAST 

Scientific Working Group on Friction Ridge Analysis, Study and Technology 

TS 

Top Secret 

WSQ 

Wavelet Scalar Quantization 

XML 

Extensible Markup Language 
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APPENDIX C — GENERAL TIMELINE OF FEDERAL 
GOVERNMENT BIOMETRIC ACTIVITIES 


Key 

« Policy , Ugistation, an d General Events 

• iResearch, OevielopiTient,Testing andEvaiuntionrSlandards 

* Operations _ 


1967 

1986 

1992 

19&3 


' ^The Federal Biirea of investigailon (FBt) and NIST begin research on techiTOlogies 

for the automated matching of fingerprints. 

— ANS17NBS ICST 1.19S8"American national Standard-for Information Systems - 
Fingerprint ideniiftcalbn - Data Forntat for infcrmation interchange" is adopted. 

—The Biometric Consortium is established within the U.S- governmenL 
—The Depanmerrt of Defense (DoDj Initiates the FacE REcognition Technology 
(FERE I) program. 


1994 

1995 


1996 


—Immigration and Naturalization Service (INS) initiates INSPASS using hand 
geometry at ports of entry to facilitate the inspection cf business travelers to the US 

(using special kiosks and lanes that byjiass the normal inspection lanes) 

—FBI plans development of the Integrated Automaied Fingerprint Identification 
System (IAPIS). 

— IHS' IDEMT system becomes operational, 

—Iris prototype becomes available as a commercial product. 

—INS uses facial recognition and voice recognition to verify the Identity of pre¬ 
en rolled persons in vehicles crossing the border at Otay Mesa, California using a 
special, ^dicoted lane, 

—The Illegal Immigration Refonn and Immigrant Responsibility Act of 1996 becomes 
law. 


—NIST begins hosting anirual speaker recognition evaluations. 

-Ills opens the first fully automated Pori of Entry at Scobey, Montana relying upon 
voice verification technology 

1997 —The Human Autherticailon Application Program Interlace {API), the first 

comitnefcial, generic, biomerric interoperability siattdard is published. 

199S —The Department of State (DOS) begins collecting biometrics from Mexican nationals 
1 r applying to enter the U nited States with a Border Crossing Card (BCC). 


Ill 




1999 

2000 


2001 


2002 


^ FBI's IA FIS major componenis become operGiional. 

— The firsl Face Recognition Vendor Test {FRVT 2000) is held. 

— DoD establishes its Blometricis Management Office IBMO) and Biometrics Fusion 
Center (BFC). 

— The Visa Waiver Program Act of 2000 becomes law. 

— The Defense Advance Research Projects Agency {DARPAJ begins the Human 
Identification at a Distance (HumonID) Program. 

— The Biometric Application Programming Interface (BioAPI) specification is released. 

— The terrorist attacks of September lip 2001 ciccur. 

^FAA establishes Aviation Security Biometrics Working Group. 

— INCITS establishes Mt Technical Committee on Biometrics. 

— The USA PATRIDT Act becomes iaw_ 

— The Center for Identification Technology Research (CITeR) begins operation as a 
National Science Foundation IndustrylUniversity Cooperative Research Center. 

^The Enhanced Border Security and Visa Entry Refonm Act becomes law. 

^The ISO/I EC SC 37 standards subcommittee on biometrics Is established. 


— The Maritime Transportation Security Act becomes law, establishing the 
Transportation Worker Identification Credential {TWICJ. 

-FRVT20021S held. 

— The E-Government Act of 2002 becomes law. 


20D3 ^DOS begins collecting biometrics from visa applicants through the 
Bio Visa program. 

— The National Science and Technology Council charters a Subcommittee on 
Biometrics lo coordinate biometrics research and development (R&D). policy, 
outreach, and international collaboration across the federal government. 

^ICAO adopts blueprint to integrate biometrics into machtne-readable uavel 
documents. 

— The Department of Justice {DOJ}, DOS bnd HIST submit joint Patriot Act report to 
Congress on “Usie of Technology Standards and interoperable Databases with 
Machine-Readable, Tamper-Resistant Travel Documents” 

— Testing for the Fingerprint Vendor Technology Evaluation (FpVTE 2003) begins. 

^NfST begins Pfoprrelary Fingerprint Template (PFT) testing. 

~ Homeland Security Presideniial Directive (HSPD) b establishes the Terrorist 
Screening Center. 

2004 ^ HSPD-11 establishes a coordinated and comprehensive approach to terrorist- 

related screening. 

^HSPD-12 calls for standard, government-wide personal idenriflcatlon verification 
(PIV) credentials for all federal employees and contractors. 

— Face Recognition Grand Challenge begins. 

^International Meeting of Biometrics Experts held. 

— DHS' US-VJSIT pr^ram begins collecting biometrics from international visitors at 
all international air, sea, and land border ports of entry. 

— AirNexus kickoff - facilitated travel program operated Jointly with the Government 
1 F of Canada using iris veriftcation at kiosks for pre^nrolled travelefs 
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' Fingerprint Segmenietion Eveluaiion 20D4 (S]apSegC4}. 

— DoD's IAFlS-com{Mtibl« datebns^, Automated Biometric Ictentification System 
(A6IS), becomes operationeL 

— The firtgerprirtt Minutiae Interoperability Exchange (MINEX 04) tests begin. 

—The Intelligence Refornri and Terrorism Prevention Act becomes law. 

— DHS and NIST Initiate a program to develop human computer interaction (NGI) 
gtiidelinies and standards for biometric systems. 

— The first statewide automated palm print databases in the Linited States are 
deployed In California. Connecticut, and Rhode Island. 

|— The first Common Biometric Exchange Formats Frameworit (CBEFF) ANSI standard 
is published. 

— NIST Fingerprint Image Ouality assessment tool ts released. 

2005 — NIST Issues standarcls for federally mandated, government>wide PIV cards. 

pNIST hosts the 10-Print Capture Scanner ft Software Reguirepnents Workshop. 

— The Iris Challenge Evaluation 2005 (ICE 2005) Program is held. 

— The European Commission hosts a "Workshop on Ethical and Social Implications 
of Biometric Identification Technology: Toward an International Approach.** 

2006 — DoD reorganizes the 6MO and the BFC into the Biometrics Task Force (BTFj, 

— FRVT 2006 is held. 


— First imernatronal NtST Bfo/J>erric Ouslity Workshop is held. 

— Defense Science Board launches Task Force to study biometrics in the OoO. 

— DHS hosts the 10-Prim Capture User Group Industry Day. 

—NIST holds the Latent Fingerprini Testing Workshop. 

—A^ncies, working through the NSTC, begin the process of designing government¬ 
wide biometric system Interoperablllcy. 

— The President approves the National imp/emetitetiioti P/an for t/re- War on Terror, 

— WWW.bioiTietrics.qov is launched. 

— r/ie A/ar/ona/ B/ofruefrrcs C/iaf/ertge is issued, 

— ICE 2006 is held. 

— The United States hosts the "International Conference on Biometrics and Ethics" 


2007 


—Agencies, working through the NSTC and National Counterterrorism Center, begin 
collaboration to Improve the coordination of biomeiiic activities to stJp|X)rt efforts 
against known and suspected terrorists, 

— TWIC Enrolln^em and Issuance begins. 

— Technology demonstrations for the Fast Capture Rolled Equivalent Flnger/Palm 
Print Irtitiative begin. 

— NSTC expands the focus of its existing biometrics subcommittee, creating the 
NSTC Subcommittee on Biometrics and Identity Managenwnt. 

—NIST conducts Phase 1 of the Evaluation of Latent Fingerprint Technologies lELFT), 

— ANSI/NIST.ITL 1-2007 - Data Format for the Interchafige of Fingerprint. Facial* ft 
Other Biometric Information - Part 11s adopted. 


— NIST conducts MINEXII (Fingerprint Match on Card). 

— DHSPnVacy T^chnofogy tmphm^nti^tion 6u/de is issued, 

— fCSrC Policy for Enabtmg the Oeue/oprnejtt. Adoption 3t\d Use of Biorrieirrc 
1 r S randards i s I ssued. 
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^«NI5T releoses public domain build instructions for the Multimodal Siometric 
Application Resource Kit (MBARK), 


20(ia 


— DOS begins deploying 10.fingerprint collection at all visa.issuirkg posts. 

— US-VtSIT begins deploying lO-fingerprim collection at all U.S. airports. 

—Tbe NSTC Task Force on Identity Management is chartered, 

—The Multiple Biometric Grand Cholleitge [M6GC) begins. 

— DHS begins accepting applications for the Global Entry expedited trusted traveler 
program, 

—FBI plans devrelopment of the Next Generation Identification System to incorporate 
multimodal biometrics. 


— NSTC Registry of USG Recortifnendecf Biometric Standards is issued. 

—The President issues NSPD.59/HSPD-24: Siomefrfcs for rdenfificafiort and 
Screening to Enhance Netiouat Security. 

—The International Workshop on Usability and Biometrics Is held, 

— ANSirNIST-ITL 2.200& - XML Data Format for the Interchange of Fingerprint, Facial 
& Other Biometric Information - Pan 2 is adopted. 
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APPENDIX D — BIOMETRICS OPERATIONS TIMELINE 


1993 

1994 

1995 

1996 

1998 

1999 

2000 

2003 

2004 


2006 

2007 

2008 


' — Immigration and Naturalization Service (INS) initiates INSPASS using hand 

geometry at ports of entry to facilitate the inspection of business travelers to the US 
(using special kiosks and lanes that bypass the normal inspection lanes) 

— FBI plans development of the Integrated Automated Fingerprint Identification 
System (lAFIS). 

— INS’ IDENT system becomes operational. 

— INS uses facial recognition and voice recognition to verify the identity of pre¬ 
enrolled persons in vehicles crossing the border at Otay Mesa, California using a 
special, dedicated lane. 

— INS opens the first fully automated Port of Entry at Scobey, Montana relying upon 
voice verification technology 

— DOS begins collecting biometrics from Mexican nationals applying to enter the 
United States with a Border Crossing Card (8CC). 

— FBI's lAFIS major components become operational. 

— OoO establishes its Biometrics Management Office (BMO) and Biometrics Fusion 
Center (BFC). 

— DOS begins collecting biometrics from visa applicants through the BioVisa 
program. 

— DHS's US-VISIT program begins collecting biometrics from international visitors at 
all international air, sea, and land border ports of entry. 

— AirNexus kickoff - facilitated travel program operated jointly with the Government 
of Canada using iris verification at kiosks for pre^nrolled travelers 

— DoD's lAFIS-compatible database, Automated Biometric Identification System 
(ABIS), becomes operational. 

— The first statewide automated palm print databases in the United States are 
deployed in California, Connecticut, and Rhode Island. 

— DoO reorganizes the BMO and the BFC into the Biometrics Task Force (8TF). 

— TWIC enrollment and issuance begins. 

— DOS begins deploying 10-fingerprint collection at all visa-issuing posts. 

— US-VISIT begins deploying 10-fingerprint collection at all U.S. airports. 

— DHS begins accepting applications for the Global Entry expedited trusted traveler 
,, program. 


— FBI plans development of the Next Generation Identification System to incorporate 
multimodal biometrics. 
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